More Indian casualties of the infamous hacking group ShinyHunters have emerged. The group has allegedly leaked a 6 GB data dump of Indian crypto exchange BuyUCoin on the dark web, where it is available for download for free. The leaked data contains information for 300,000 users, a little less than the number of users that BuyUCoin claims to have served.
The data is contained in a MongoDB database, which is used by many modern apps. The leaked database contains sensitive information such as users’ names, phone numbers, email addresses, PAN numbers, as well as bank details such as account number, IFSC code and the type of account. It is worth noting that BuyUCoin collects such information from users who make a deposit on the exchange platform to purchase cryptocurrencies.
Screenshots of the leaked database also reveal the BuyUCoin referral codes for some users, along with details of their trading activities on the crypto exchange. According to Rajaharia, who is also an affected user, data till September 2020 is contained in the leaked database.
While names, phone numbers and email addresses are mostly used for large-scale phishing campaigns, the fact that certain bank details of users have also been leaked from BuyUCoin is of grave concern.
Over the last few months, ShinyHunters has leaked user data from various Indian companies such as Juspay, Clickindia, Chqbook and Bigbasket among others. As with these other instances, the BuyUCoin data also appears to have been leaked through a breach of the company’s server, since the leaked data is in the form of a dump.
BuyUCoin claimed no data breach had taken place. “In the mid of 2020, while conducting a routine testing exercise with dummy data, we faced a ‘Low Impact Security Incident’ in which non-sensitive, dummy data of only 200 entries was impacted. We would like to clarify that not even a single customer was affected during the incident,” read the company statement.
However, this claim is not true, since the genuine user data was also included in the leaked database.