In October 2020, BigBasket.com, an online food and grocery platform that delivers personal and household needs in India, suffered a data breach.
This incident exposed over 20 million customer records, it included emails, IP and physical addresses, full names, phones numbers, dates of birth, passwords stored as Django(SHA-1) hashes.
The company said that the privacy and confidentiality of customers is priority and it does not store any financial data including credit card numbers and is confident that this financial data is secure.
The data was originally sold by multiple hackers in darknet shortly after the incident. It has been eventually leaked publicly in April the following year by group of hackers operating under alias ShinyHunters. It will be safe to assume the group took part in original hacking operation.
Kaduu has analysed breached database: it appears as a sole .sql file of 15.5 GB. The exact number of accounts leaked, containing email and password pairs, is 20,518,019. Unfortunately, hashing algorithm chosen by the company is weak and doesn’t take long to unhash/crack it to retrieve original clear text passwords.
It’s interesting to say that out of 20M passwords over 5M were identical and hashes were standing for “password” password.