With the massive data trove available freely on the web, BigBasket has done something to secure its users. While it has done nothing to notify its users of the breach, it has quietly disabled the password authentication. The fields leaked in the database included:
id, created_on, updated_on, created_by_id, updated_by_id, email, password, first_name, last_name, dob, photo, is_staff, is_active, is_superuser, last_login, registered_ip, last_logged_ip, date_joined, hub_id, address2, zipcode, location, mobile_no, phone_no, activation_key, oac_code, news_status, about_us, address1, city, is_mapped, is_validated, area, is_cashback_eligible, apin, pin, validated_email, validated_mobile_no, validated_address, manual_override_hub, member_type_id, cookie_value, week_id, mapped_on, residential_complex, mapped_by_id, landmark, city_id, last_order_id, date_of_first_order, date_of_last_order, num_of_orders, first_order_id, maximum_order_delivered_value, total_order_orig_value, total_order_orig_num_items, total_order_delivered_num_items, total_order_invoice_value, total_order_delivered_value, maximum_order_invoice_value, total_order_delivered_num_qty, total_order_orig_num_qty, email_domain, credit, total_store_brand_order_value, channel, total_fv_order_value, last_fv_order_date, last_meat_order_date, last_store_brand_order_date, total_meat_order_value, source_id, ref_id, email2, phone_no2, password_changed_time, is_mobile_no_validated, is_email_validated
It was leaked by a user with the details below on a popular hacking website for free.
To counter this leak, BigBasket has just disabled password authentication and will only use OTP. However, what to talk about the safety of private information of over 2 crore users (including the author)?
It is time that these giant companies also do something for data protection and own-up to their responsibility.