A database of about 20 million alleged BigBasket users has leaked on a well-known cybercrime forum, months after the Indian grocery delivery startup confirmed it had faced a data breach.
The database includes users’ email address, phone number, address, scrambled password, date of birth, and scores of interactions they had with the service. TechCrunch confirmed details of some customers listed in the database — including those of the author.
BigBasket co-founders did not respond to texts requesting comment.
TechCrunch has asked one BigBasket co-founder whether the startup ever disclosed the data breach to customers.
A hacker who goes by the name ShinyHunters published the alleged BigBasket database — and made it available for anyone to download — on a popular cybercrime forum over the weekend.
In newer posts on the forum, at least two threat actors claimed that they had decoded the hashed passwords and had put them up for sale. ShinyHunters didn’t immediately respond to a text requesting comment.
The incident comes weeks after Indian conglomerate Tata Group agreed to acquire BigBasket, valuing the Indian startup at over $1.8 billion. The acquisition proposal is currently awaiting approval by the Indian regulator.