The data leaked include names, e-mails, mobile numbers, encrypted passwords, user wallet details, order details, bank details, KYC details (PAN number, passport numbers) and deposit history.
According to independent cyber security researcher Rajshekhar Rajaharia, the 6GB file on MongoDB database contains three backup files containing BuyUcoin data.
“This is a serious hack as key financial, banking and KYC details have been leaked on the Dark Web,” Rajaharia told IANS and shared some screenshots of the leaked data.
Researchers at cyber security firm Kela Research and Strategy Ltd first discovered the stolen data, linked on the same forum, from Wongnai Media Co Ltd, Tuned Global Pvt Ltd, BuyUcoin, Wappalyzer, Teespring Inc and Bonobos.com, which looks the handiwork of infamous hacking group ShinyHunters.
“Over this past summer, ShinyHunters was seen publishing leaked data for free, exposing millions of personal records from all over the world,” Victoria Kivilevich, threat intelligence analyst at Kela Research, told SiliconANGLE.
“We have seen collaborators of Shiny Hunters selling and leaking other dumps in the recent months.”
BuyUcoin was yet to react to the report.
ShinyHunters has also leaked 1.9 million user records stolen from free online photo editing application Pixlr.
According to Rajaharia, the hacker is the same who earlier leaked BigBasket and JusPay data in India.
In November last year, one of India’s popular online grocery stores BigBasket found that its data of over 20 million users had been hacked and were on sale on the dark web for over $40,000.
“Now, the same hacker group is asking about $10,000 in Bitcoin for the BigBasket database and is also selling the three companies’ databases,” Rajaharia said.
“There is a strong connection between all these recent data leaks, including BigBasket,” he added.
Earlier this month, Bengaluru-based digital payments gateway JusPay said that about 3.5 crore records with masked card data and card fingerprint were compromised by the hacker.
Rajaharia also disclosed that three Indian companies — e-marketplace ClickIndia, fintech startup for small business owners ChqBook and wedding planning website WedMeGood — were also hacked possibly by the same hacker.
“Nearly 80 lakh users of ClickIndia (name, email, mobile and other personal details), 10 lakh users of ChqBook (name, email, mobile, full address and other personal details) and 13 lakh users of WedMeGood (name, email, hashed password, other sensitive personal information),” Rajaharia had revealed.