BigBasket and the looming spectre of ShinyHunters

Why read this story?

Editor's note: Pardon the sombre start, but there’s no other way to put it: Another month, another data breach. It’s been five days since Cyble informed the public about the breach at India’s largest online supermarket. The cybersecurity firm found a 15 GB database of BigBasket users on a dark web marketplace. This database had the details of 20 million customers—names, emails, IP and physical addresses, contact numbers, dates of birth, and even OTP hashes. If you’ve ever ordered from BigBasket, you’re part of an information catalogue that’s being sold for nearly Rs 30 lakh, or $40,000. The BigBasket breach allegedly took place on 14 October. Cyble detected it more than two weeks later, after which it followed the protocol expected of cybersec firms: validate the leak, inform company management, and only then make a public announcement. BigBasket was informed on 1 November, but the company issued no acknowledgement—leave alone an apology—to users until media outlets broke the news. If Cyble hadn’t made the matter public on its website, chances are that BigBasket would’ve kept mum. We wrote about how India’s Personal …