Over the past few weeks, many Flipkart users have filed complaints about burglary of their accounts and anonymous individuals placing orders using their IDs and Supercoins, a company rewarding reward system.
But the hacks had nothing to do with the broken Flipkart database, according to expert comments. Instead it goes back to breaking Bigbasket data, where the information of thousands of people was disclosed on the dark web for anyone to download and use.
According to experts, while Flipkart’s database may have been breached, companies should submit two-factor authentication to ensure that those issues are avoided.
Also read : Tata Power Board is ready to raise to Rs 5,500 cr per NCD
What’s going on?
On May 12, Flipkart customer Satish Medapati wrote on Twitter that his account had been hacked and that strangers were using Supercoins, Flipkart’s loyalty reward system, to place orders. This is no exception.
Over the past few weeks many users have raised similar complaints on a microblogging Twitter Twitter about strangers placing orders from their Flipkart account and their Supercoins used for that purpose.
Another user, Ajay Shah, said details of thousands of users are also being sold on Telegram. A screenshot review revealed that approximately 2,800 IDs were sold to the Telegram group.
Two security analysts have spoken out that the violation could be traced back to the Bigbasket violation in November 2020, followed by details of millions of users made public on the black web late last month.
Also read : Forex investments rose by $ 32.29 billion in six months: RBI
Bigbasket link
Following the Bigbasket data breach in November 2020, a group of hackers made personal details, including a quick password, about 20 million Bigbasket users available for free on the black web two weeks ago.
UT Prasad, Chief Security Officer, InstaSafe, which is a cyber security platform, said those who downloaded the data would be able to access user information.
Once they have access to the email and decrypt the password, hackers can remove the encryption and use the default text to retrieve user IDs from the dozens disclosed that can be used on the Flipkart site, he explained.
Rajshekhar Rajaharia, a security researcher, said, “About 4 million Bigbasket instant passwords have been hacked by hackers.” Given that most people use the same ID and password on all websites, people are able to log in to the Flipkart site using the same information. Moneycontrol was able to confirm the same.
Also read : Apollo Tyres reports a fourfold increase in total profit at Rs 289 cr in Q4
What now?
Rajaharia says users should quickly change all website passwords instead of waiting for the company to notify them accordingly. As a general security hygiene, he also suggested that users use different and strong passwords across all websites.
But the need for an hour, both Rajaharia and Prasad, is a confirmation of two things.
According to Prasad, having two-factor authentication (2FA) approved on the company’s site would prevent these problems. Currently entering the username and password will be sufficient to access the website.
But given the level of violations we have seen in the last six months only, companies have to take other precautionary measures. Two-factor authentication is one such solution. For example, when you sign in to the Amazon.in site from a new device, it sends an SMS verification link to your number. Only when verified, will the user be able to log in to the site.
“It is time for firms like Flipkart to review security. They have to provide two-factor authentication as making all users aware of having strong passwords will be difficult, ”he added.
Also read : Wall Street declined as inflation prices strengthened the betting rate