BigBasket breach: How can people check if their data was hacked?

The Dark Web is an unregulated part of the internet. It is not indexed by search engines. Dark Websites are deliberately bare-bones, without named urls. This is a haven for cybercriminals, and also those who wish to avoid being “outed” by search engines, or tracked by unfriendly regimes.

The cyber-security firm, Cyble, routinely searches the Dark Web for criminal activity. On October 30, Cyble discovered that India’s online supermarket, BigBasket, had been hacked. The data of around 20 million BigBasket customers were being hawked on the Dark Web at an asking price equivalent to $40,000. This included fields such as full names, email IDs, mobile numbers, data of birth, login location and IP, password hashes (hashed OTPs), pins, full physical addresses, and IP addresses. 

When was the data hacked?

Cyble estimates the hacking was done around October 14. After validating the data, it informed the Bengaluru-based BigBasket. Cyble went public with the information on November 7. BigBasket did not disclose the incident to its users between November 1 and 7. It has since issued a statement that credit card/debit card/net banking details were not disclosed in the breach.

Where does this leave the customer? 

If the Dark Web does have all those data, as well as any card details (maybe somewhere else if not in the BigBasket file), you may be vulnerable to identity theft or a card hack.

Of course, you may file some sort of complaint about the breach. But there is no data privacy law in India. Arguably, much of this information could be legally sold — there is a thriving trade in digital data. Anyhow, glaciers in Antarctica melt faster than cases moving through Indian courts.

How can people check if their data was hacked? 

Many tools on the Web can help you check if there’s private data about you on the Dark Web. Cyble offers a tool at https://amibreached.com/ (also accessible via an app). This has included the BigBasket data.

A positive result on a search will tell you there is indeed data about you stacked on the Dark Web. Don’t be surprised; most net users have at some time or the other used some service, which has been compromised. You can probe further to check what that data is.

If there’s a negative result, you can breathe half a sigh of relief. It’s very possible that some of your private data is sitting out there, but at least it hasn’t been picked up by a major cyber-security outfit yet and it may not be very damaging.

What can be done if data has been compromised?

There’s not much you can do about certain data being exposed. It’s hard to change physical address. Changing your email and mobile number are irritating. It’s even harder to change your name (the name-switch will leave a web record anyhow).

But you can change your email passwords, and pins for instance. If your data has been leaked from a site, which may have your financial details, it is possible, and may be prudent, to “hot-list” your cards and request replacements. Be aware this leaves you cash/cheque-dependent until new cards arrive.

How can one make online transactions safer?

Here are some guidelines for safer (not safe, but safer) online transactions. Never save card details to avoid these being sucked up if the site gets hacked. It is safer to use a credit card than a debit card. A debit card directly draws on cash in your account. If a credit card is hacked, you may, or may not, be liable for whatever fraudulent transactions are made. But a debit card hack could wipe out your bank account.

In future, use virtual credit cards. Most banks offer these for free, though they may call it something else. (HDFC Bank calls it netsafe.) The bank creates a virtual credit card on request, giving you a credit card number and CVV (card verification value — the 3-digit pin on every card). The virtual card works online like a normal credit card. But it expires within a day or two, and you set exact transaction limits.

Let’s say you buy a new mobile for Rs 15,000. Create a virtual credit card with a limit of Rs 15,500 (just in case). The balance Rs 500 will be credited to your bank account on expiry. The card expires the next day. Your real card and bank details remain protected. This adds a layer of protection.