Last week saw a kerfuffle of unparalleled proportions in the Indian startup ecosystem. On one hand, there were claims that India had experienced its largest data breach. Records and private information of a mind-boggling 100 million users leaked from a fintech startup. On the other hand, MobiKwik*, the company in question, denied that any such breach ever happened.

MobiKwik co-founder and CEO Bipin Preet Singh claimed that the data was likely to have been lost by users on other platforms. The company even went as far as to paint the researcher who flagged the issue, Rajshekhar Rajaharia, as “media-crazed” and having ulterior motives.

So what exactly happened, and more importantly, what does this mean for both MobiKwik and its users? Before we get into that, here’s a quick primer on the situation so far.

On 24 February, a hacker called ninja_storm Raid Forums Thread SELLING BIG DATA LEAK Read more ninja_storm Raid Forums Thread SELLING BIG DATA LEAK posted on RaidForums, a database-trading platform for breaches and leaks. The hacker claimed to have 6 TB of KYC Know Your Customer The know your customer or know your client guidelines in financial services require that professionals make an effort to verify the identity, suitability, and risks involved with maintaining a business relationship. KYC Know Your Customer The know your customer or know your client guidelines in financial services require that professionals make an effort to verify the identity, suitability, and risks involved with maintaining a business relationship. data and 500 GB of production MySQL MySQL A popular open source database management system owned, operated, and supported by Oracle MySQL MySQL A popular open source database management system owned, operated, and supported by Oracle database backups of a large financial company. The conversation then shifted to a Discord Discord Discord Discord server initiated by the hacker.

When others demanded proof that the database dump was indeed genuine, the hacker sent three files on 25 February.

The first file was a database schema (structure of database) of saved cards, which contained partially masked credit card numbers (showing the first six and last six digits), card IDs, and other details.

The second file was a list of all databases and tables. This list pointed to a rich store of information, ranging from complete user details such as passwords (stored in a hashed manner), addresses, payment and transaction history, balance details, GPS locations, lending information, bank limits, device names, and card data of providers such as American Express.