‘Big Basket’ Data Now Shared by “ShinyHunters” on Hacker Forums for Free

• Notorious data broker “ShinyHunters” is sharing the ‘Big Basket’ November 2020 data breach for free.
• This is re-introducing the same risks for the 20 million exposed customers of the online supermarket.
• The same seller had recently given away a sample of Upstox data, allegedly, but stopped sharing when a ransom was paid.

The ‘Big Basket’ data that was first leaked online back in November 2020 has now re-appeared on a popular hacker forum through a fresh post by the notorious data broker “ShinyHunters”. The actor is giving away the entire collection of 20 million customer records, including full names, email addresses, phone numbers, physical addresses, and several secondary-importance data that could be useful in the hands of the right actors.

Although this data isn’t the result of a new breach on the big Indian online supermarket platform, the re-introduction of the set is bringing it to more malicious individuals and could restart the exploit efforts. If there are still users who failed to reset their passwords since last time, they will now face a renewed risk from the uptick in malicious activities.

Also, as we now learn, the hash that is supposed to help encrypt and protect the passwords even in the case of a data leak is so weak that the passwords may as well be considered plaintext. As ‘Under the Breach’ details on a relevant tweet, using the processing power of a modern graphics card would be enough for anyone to decrypt these hashed passwords in a relatively short time.

We have asked security researcher Rajshekhar Rajaharia for a comment on this since he has been following these incidents from up close since last year, so here’s what he shared with us:

One thing to note is that this breach opened the “Aeolus bag” when Cyble confirmed it, only to be met with accusations of extorting Big Basket and asking a ransom to keep the breach incident private. Rumors linked Cyble with ShinyHunters, but none of that was ever confirmed, and we approached Cyble CEO, who flatly denied everything back then.

ShinyHunters has also posted a part of 100,000 records belonging to Upstox, an Indian online trading platform that the data seller was allegedly extorting. The listing claims that Upstox eventually paid the ransom, so the download links were taken down. Again, Upstox never confirmed any of that officially, so we are only reproducing what is purportedly the story according to the data seller.