‘MobiKwik’ Says Forensic Audit Proves No User Data Was Ever Accessed

  • ‘MobiKwik’ reassures its userbase that their investigation has found no proof of a data breach.
  • The company has shared server logs with an independent auditor who has confirmed its previous finding.
  • The report is missing convincing details, but it could be enough to evade further regulatory pressure.

Back in March, we covered the news about 8.2 TB of sensitive data of MobiKwik users appearing online on a Tor URL with the ability to search using real names or phone numbers. The data appeared to be of the “know your customer” type, something that MobiKwik would require for identity validation and account activation, being an electronic financial transactions company. Even though the proof appeared to be overwhelming, the company flatly denied suffering a data breach and claimed the leaked data resulted from users uploading it to other platforms.

In the days that followed, the Indian authorities have pushed for a probe to evaluate whether or not a large number (up to 120 million) of citizens had been irreversibly exposed. At the same time, MobiKwik continued to maintain the same stance of denial, also playing down the claims of the researcher who helped publicize the appearance of that data, Rajshekhar Rajaharia.

In continuation of that, MobiKwik has now published the results of a forensic audit conducted by an independent expert. The summary is that there’s no indication of unauthorized access from external hackers or even an internal agent to the server where customer data is stored. This comes from an in-depth analysis of the logs provided to the auditor, DHRP, who saw no signs of unauthorized access. Notably, though, employee devices weren’t analyzed, some non-mandatory logs were excluded from being shared with the investigating agents, and a virtual walk-through on the firm’s systems was not offered to them.

If we take the audit result for granted, the only possible explanation left for the appearance of the KYC images on the dark web is that the users have uploaded them to other platforms that were breached. As no fingers were ever pointed to affiliates or apps that can connect to MobikWik’s API or any other services where a data exchange at this level could have taken place, there is no margin for speculation here.

We have reached out to MobiKwik asking for more details about the audit and also for potential findings or leads regarding the actual source of the leak. We will update this piece as soon as we hear back from them.

REVIEW OVERVIEW

Latest

Is It Okay to Charge iPhone 13, Mini, Pro, or Pro Max Overnight?

Without any doubt, there are plenty of misconceptions about charging iOS devices. That’s even more true now since this year’s iPhones have the...

Is It Okay to Play Games While Charging iPhone 13? 

The iOS App Store offers more than one million games. Your options are practically limitless, with console-like games taking full advantage of iPhone 13’s...

Is It Bad to Use iPhone 13 While Charging? 

The latest iPhone generation comes with the longest battery life yet, managing to provide up to 2.5 extra hours of use. With that said,...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari