MobiKwik data breach
An 8.2TB trove tied to Indian fintech MobiKwik — reportedly covering up to 99 million users with KYC documents, Aadhaar and card details — was advertised for sale on a dark-web forum, in a breach the company repeatedly denied.
- Victim
- MobiKwik
- records
- 99.0M
- users
- 99.0M
In late March 2021, a dark-web forum advertised 8.2 terabytes of data tied to the Indian fintech MobiKwik, reportedly covering as many as 99 million users. The listing — and MobiKwik's repeated, combative denials — made it one of the most contentious data-exposure episodes in India's payments sector.
What happened
Security researcher Rajshekhar Rajaharia first flagged in February 2021 that MobiKwik customer data appeared to be circulating on the dark web. MobiKwik denied the claims. On 29 March 2021, a forum seller using the handle Jordandaven posted a listing offering 8.2TB of MobiKwik data, claiming it included a database of around 36 million files with the Know Your Customer (KYC) records of roughly 3.5 million people.
The advertised dataset reportedly included names, phone numbers, email addresses, hashed passwords, addresses, KYC documents, Aadhaar card images, and partial payment-card details. Independent researchers and journalists matched sample records against real MobiKwik users, lending credibility to the claim.
The denial
MobiKwik responded not by investigating publicly but by denying any breach had occurred, asserting it was fully compliant with data-security laws and suggesting that users may have exposed their own data elsewhere. The company also threatened legal action against the researcher who had raised the alarm — a response widely criticised by the security community as shooting the messenger.
Regulatory response
- India's CERT-In and the Reserve Bank of India directed MobiKwik to commission an independent forensic audit.
- The dark-web listing was subsequently withdrawn, leaving the exact scope publicly unconfirmed.
- MobiKwik never published the audit findings, and the precise number of affected users remains disputed — estimates range from the 3.5 million KYC records the seller claimed to the headline figure of up to 99 million accounts.
Why it matters
The MobiKwik episode became a case study in how not to handle a breach disclosure. The combination of credible third-party verification, regulatory intervention, and corporate denial highlighted the gap in India's pre-DPDP-Act accountability framework: at the time there was no statutory breach-notification mandate compelling a fintech to confirm an incident or notify affected users. It remains a frequently cited example of the reputational damage that follows reflexive denial over transparency.
Timeline
Security researcher Rajshekhar Rajaharia first reports that MobiKwik data appears to be available on the dark web.
MobiKwik publicly denies any breach, attributing the claims to attempts to malign the company.
A dark-web listing offers 8.2TB of MobiKwik data covering up to 99 million users, including KYC documents and card details.
Researchers and journalists verify sample records against real users; MobiKwik again denies a breach and threatens legal action against the researcher.
India's CERT-In and the RBI direct MobiKwik to commission an independent forensic audit; the dark-web listing is withdrawn.
Sources
- techcrunch.comhttps://techcrunch.com/2021/03/30/mobikwik-investigating-data-breach-after-100m-user-records-found-online/
- thehackernews.comhttps://thehackernews.com/2021/03/mobikwik-suffers-major-breach-kyc-data.html
- bankinfosecurity.comhttps://www.bankinfosecurity.com/blogs/mobikwik-data-breach-denial-be-nimble-but-so-quick-p-3010
- infosecurity-magazine.comhttps://www.infosecurity-magazine.com/news/forensic-audit-of-mobikwik-ordered/