Personal details of 120 million Reliance Jio SIM users were hacked and posted on a website, reports said on Monday. The website, magicapk.com, has since been suspended.
Jio denied any security breach, and said the details appeared inauthentic. Bengaluru-based security researcher and ethical hacker Anand Prakash carried out a reality check and said he was able to access information about a couple of numbers.
“My mother had bought a Jio SIM recently. When I probed, the site displayed the exact date of purchase and other details. It worked again when we tried a friend’s number,” he told DH.
A couple of months ago, Prakash said, he had noticed a post offering to sell user data from an unnamed Indian telecom company. “It was on a hidden network called the ‘dark web.’ This network is accessed by hackers and others proficient with the technology,” he explained.
He then dismissed it, thinking it was fake. “But with Sunday’s incident, I see a link,” he said.
The person behind the post was ready to sell the data for about Rs 13 lakh. “The complete authenticity of the database is still in doubt as verifying all of it means shelling out the amount in Bitcoin secret currency,” he said.
With email IDs and Aadhaar numbers being associated with the SIM cards, a breach triggers many fears. The errant website was pulled down late on Sunday.
“The leak might have happened either because the backend sotware was tweaked or the data compromised,” Prakash said. With no data protection laws in place in India, unlike in the US, a leak can’t even be handled legally, in his view.
A Jio user in Bengaluru is aghast. “A friend tried the website. He could find my details. With details like fingerprints and even our retina scans attached with the Aadhaar numbers, I cannot explain the horror,” he said.
Vulnerability spotter
Anand Prakash hails from Rajasthan, and lives and works in Bengaluru. He is the first Indian to top Facebook’s ‘White Hat’ hackers’ list, and has successfully detected security loopholes in Twitter, PayPal and Uber. He is described as a ‘bounty hunter’ as companies reward him handsomely for helping them identify vulnerabilities they must urgently fix.
What was leaked?
The website magicapk.com reportedly showed full names, Jio numbers, email IDs, and details about when the numbers were activated and what verification ID was used to activate the numbers. Aadhaar numbers were spared, according to some reports.
Jio statement
Reliance Jio responded to the news with a denial: “We want to assure our subscribers that their data is safe and maintained with highest security. Data is only shared with authorities as per their requirement. We have informed law enforcement agencies about the claims of the website and will follow through to ensure strict action is taken.”
Deccan Herald is on WhatsApp Channels| Join now for Breaking News & Editor's Picks