Alleged records of 20 million BigBasket users published online

A database of about 20 million alleged BigBasket users has leaked on a well-known cybercrime forum, months after the Indian grocery delivery startup confirmed it had faced a data breach.

The database includes users’ email address, phone number, address, scrambled password, date of birth, and scores of interactions they had with the service. TechCrunch confirmed details of some customers listed in the database — including those of the author.

BigBasket co-founders did not respond to texts requesting comment.

The startup confirmed in November last year that it had suffered a data breach after reports emerged that hackers had siphoned off information of 20 million customers from the platform.

TechCrunch has asked one BigBasket co-founder whether the startup ever disclosed the data breach to customers.

A hacker who goes by the name ShinyHunters published the alleged BigBasket database — and made it available for anyone to download — on a popular cybercrime forum over the weekend.

In newer posts on the forum, at least two threat actors claimed that they had decoded the hashed passwords and had put them up for sale. ShinyHunters didn’t immediately respond to a text requesting comment.

The incident comes weeks after Indian conglomerate Tata Group agreed to acquire BigBasket, valuing the Indian startup at over $1.8 billion. The acquisition proposal is currently awaiting approval by the Indian regulator.

Leave a Comment