A website has allegedly leaked personal data of several Reliance Jio users. The leaked database shows sensitive personal information such as the phone number, full name, email id, date of registration and the circle ID of the registered location of the SIM. Whether the Aadhaar numbers have been leaked is still to be known. For the number we tried, Aadhaar numbers was missing from the leaked data.
Note: We have redacted the name of the said website from this report as it may be a source to collect personal information of unsuspecting users or worse inject malware. We recommend our readers to not visit sites that host possibly hacked content.
The number of users affected by this breach is still unverified but if all Jio customers are compromised, this could easily be among the biggest data leak in India totalling to over 100M users. Recently several users took it to social platforms like Facebook and Twitter to post screenshots of their leaked data.
Screenshot of the data leak posted by a Twitter user:
At present, the website which leaked the data cannot be accessed and seems to have been suspended by its hosting provider. This might be due to the huge amounts of traffic received by the website after the news broke out. This website was registered a few months ago in May, as per the domain information available publicly. However, the people behind it remain anonymous.
Most of the leaked data including the full names and numbers can also be found with third-party recharging services. Jio denies the breach and supposes this data to be unauthentic. The company claims that they have already started investigating the matter.
However with the phone number we tried, our team member had used a custom email id which wasn’t registered with any other recharging service but Jio itself. We are afraid that the database leak looks legit (at least to us). When the leak was first identified, the website only allowed looking up a phone number and get its details. However, now the data of customers seems to be on sale.
Update: A Twitter user posted a screen grab which shows data of around 120 million Jio users being sold on Tor.
We contacted Jio regarding this and below is their official response:
“We have come across the unverified and unsubstantiated claims of the website and are investigating it. Prima facie, the data appears to be unauthentic. We want to assure our subscribers that their data is safe and maintained with highest security. Data is only shared with authorities as per their requirement. We have informed law enforcement agencies about the claims of the website and will follow through to ensure strict action is taken.”
Back in May, popular restaurant listing & review site Zomato acknowledged that data of 17 million users were stolen from its servers. The company wrote about the breach itself after reaching an agreement with the hacker to take the data offline. Apparently the hacker in this case wanted Zomato to publicly acknowledge the snafu and create a bug bounty program.
High profile security breaches have become a phenomenon across the globe. While we have seen very little privacy concerns expressed by users themselves in India, somewhere these data breaches are to be blamed for extensive phishing attacks, scams and excessive telemarketing calls that we get.
Update: Reliance Jio has now acknowledged this breach and filed a police complaint. Interestingly, the accused has already been arrested. Imran Chimpa, a 24-year old Masters in Computer Application graduate was behind the database leak. After several interrogations, the accused said he wanted to build a search engine by using Jio’s database.
Valuable contributions by Annkur Agarwal.