Alleged records of 20 million BigBasket users published online

An alleged database of about 20 million BigBasket users has leaked on a well-known cybercrime forum, months after the Indian grocery delivery startup confirmed it had faced a data breach.

The database includes users’ email address, phone number, address, scrambled password, date of birth, and scores of interactions they had with the service. TechCrunch confirmed details of some customers listed in the database — including those of the author.

BigBasket co-founders did not respond to texts requesting comment.

Infamous threat actor “ShinyHunters” just leaked the database of “BigBasket, a famous Indian online grocery delivery service. (@bigbasket_com)

20,000,000+ clients affected and information such as emails, names, hashed passwords, birthdates and phone numbers were leaked. pic.twitter.com/tD5TMxNkH7

— Alon Gal (Under the Breach) (@UnderTheBreach) April 25, 2021

The startup confirmed in November last year that it had suffered a data breach after reports emerged that hackers had siphoned off information of 20 million customers from the platform.

TechCrunch has asked one BigBasket co-founder whether the startup ever disclosed the data breach to customers.

A hacker who goes by the name ShinyHunters published the alleged BigBasket database — and made it available for anyone to download — on a popular cybercrime forum over the weekend. In newer posts on the forum, several threat actors claimed that they had decoded the hashed passwords and were selling it. ShinyHunters didn’t immediately respond to a text requesting comment.

The incident comes weeks after Indian conglomerate Tata Group agreed to acquire BigBasket, valuing the Indian startup at over $1.8 billion. The acquisition proposal is currently awaiting approval by the Indian regulator.