Piecing together the MobiKwik hack

Why read this story?

Editor's note: The past week has been nothing short of a cluster***k for MobiKwik and its users. While the fintech company maintains that its servers were never breached in what’s being claimed to be the biggest KYC (Know Your Customer) hack in India− even going so far as to indulge in victim-blaming− all signs point to a track record of obfuscation. Indeed, this isn’t the first time MobiKwik has been subject to glaring security goof-ups. The 2021 hack, however, is significant because of the quantum of personal data that’s available: PAN card and Aadhaar details, bank details, phone numbers, mugshots, and virtually everything that constitutes the digital identity of millions of Indians. The original hacker or group, or those affiliated with them, also have a Telegram group dedicated to scraping the personal details of MobiKwik users. But group admins took things a step further on the evening of 31 March, when they claimed to have breached Digilocker, an online vault provided by India’s Ministry of Electronics and Information Technology for Aadhaar users to store and access their important documents. Digilocker is also …