Upstox joins the spree of tech companies that have leaked their customer details due to a data breach. The Indian stockbroking firm has released an announcement this evening describing a possible data breach and suggested measures to secure user accounts. It claims to have tightened its infrastructure after being recommended by a cybersecurity firm.
Upstox Data Breach Leaking Customers’ PII
Upstox is the second-largest Indian stockbroking firm in terms of active clients. Earlier today, an independent security researcher named Rajasekhar Rajaharia has pointed out a data breach relating to Upstox, that has leaked the sensitive information of 2.5 million customers online.
Rajaharia has earlier disclosed a data breach at MobiKwik and now shared that a ransomware group called ShinyHunters breached the Upstox server, and leaked over 56 million KYC of their customers. The leaked data include customers’ Names, Email, DOB, PAN, Bank Details, and KYC information like their Passport, PAN, Cancelled Cheque, Sign Pics, etc.
Again Huge KYC Leak!! approx 2.5 Million @upstox Users Including 56 Million KYC files alleged leaked by ShinyHunters from UpStox Server. Data Including Name, Email, DOB, PAN, Bank Details, KYC(Passport, PAN, Cancelled Cheque, Sign Pics etc.) #infosec #GDPR #databreach pic.twitter.com/IZQIWVD0MM
— Rajshekhar Rajaharia (@rajaharia) April 11, 2021
He also revealed the reason to be the improper configuration of Upstox’s Amazon AWS S3 bucket, which has been the reason for many data leaks in past. Soon, Upstox has come up with an official statement saying that they have upgraded their “security systems manifold recently, on the recommendations of a global cyber-security firm.”
This is after the company has “received emails claiming unauthorized access into our (Upstox) database.” Disclosing that “some contact data and KYC details may have been compromised from third-party data-warehouse systems,” Upstox assured that no funds or securities from users’ accounts were impacted.
Further, it has initiated a secure password reset via OTP as a “matter of abundant caution,” and suggested users the following methods to remain secure;
- Always use unique strong passwords (multi-case, alphanumeric, no name fragments) and different from older versions
- Never share OTPs with anyone
- Watch out for OTPs you may not have requested and alert the service provider in such events
- Beware of online fraud and double-check the legitimacy of links and senders.