Own up if your data is hacked, ShinyHunters tells Indian firms
New Delhi, Jan 28 (IANS) The hacker behind some of the biggest breaches in India in the recent times, including grocery delivery platform Bigbasket and photo-editing app Pixlr, has come out of the woods and for ShinyHunters, the companies in India need to take full responsibility if their data is hacked for the users to maintain their trust in them.
In a chat with independent cyber security researcher Rajshekhar Rajaharia, a copy of which has been shared with IANS, ShinyHunters said taking responsibility must be the first thing Indian firms should do when a data breach takes place.
"They have no choice but to take responsibility (about data breaches) when their database is hacked. No one cares about data breaches unless the data is yours," said the hacker who goes by the name of ShinyHunters.
ShinyHunters has been involved in several data breaches recently, including allegedly leaking sensitive data of nearly 3.25 lakh users of Delhi-NCR based global cryptocurrency exchange and wallet, BuyUcoin, on the Dark Web.
The hacker has also leaked 19 lakh user records stolen from free online photo editing application Pixlr.
ShinyHunters blasted the companies that still use poor encryption methods to safeguard the data of their users.
In November last year, one of India's popular online grocery stores BigBasket, found that data of over 2 crore users had been hacked and were on sale on the Dark Web for over $40,000 -- which is reported to be the handiwork of ShinyHunters.
"I hope companies, including those in India, stop using broken algorithms like MD5 while going for encrypting data," ShinyHunters said in the chat.
The MD5 (Message Digest 5) algorithm has been a widely used hash function producing hash encryption modes.
MD5 is no longer considered as a secure way to store passwords, especially in times when hackers have devised sophisticated tools for breaking into the networks. It is now better to use hash functions such as Sha256, 512, bcrypt, scrypt and whirlpool, for instance.
"In this wonderful world, companies learn from their mistakes. It is not just the question of Indian companies. The main problem is lack of proper encryption. Either data is saved in plaintext or the algorithm is old," ShinyHunters said in the chat.
After hacking masked credit and debit card data of nearly 3.5 crore users of Bengaluru-based digital payments gateway JusPay (which delayed in informing the data breach to its users), ShinyHunters was found selling databases belonging to three more Indian companies on the Dark Web -- e-marketplace ClickIndia, fintech startup for small business owners ChqBook (which denied the attack) and wedding planning website WedMeGood.
When asked which part of the world he operates from, the hacker said it is a "secret" and then threw an 18-round "bcrypt" challenge to crack the hash to know his whereabouts.
The hacker is allegedly behind over 44 public leaks in 2020 and several are not yet listed. The databases he has contain information of over 125 crore people globally, including more than 20 crore Indians.
(Nishant Arora can be reached at email@example.com)