CloudSEK has discovered a data leak that contains sensitive information of 40,000+ suppliers registered on IndiaMART. IndiaMART InterMESH Ltd. is an Indian e-commerce company that is an online marketplace for B2C, B2B, and customer to customer sales and services. As per their website, they have 6 million+ suppliers on the platform.
CloudSEK researcher Ashok Krishna discovered posts on 2 forums advertising a database of 43,920 suppliers registered on IndiaMART.
On one forum the post was published on 20 June 2020 at 11:03 AM. The poster claims to have 49,000+ ‘Indiamart business data.’ In response to this post, another forum member commented that the dump contains 42,985 records, including email addresses.
On the second forum the post was published on 22 June 2020 at 6:11 AM. The poster claims to have 43,920 records, even though the sample filename is ‘Indiamart 01 (Business) – 49000.xlsx.’ In response to this post another forum member commented that he/she has a total of 700k of this data and has shared a sample as well. We couldn’t verify the commenter’s claim.
We downloaded the sample from the first forum to validate its contents.
The sample file contains 44 records and each record has the following fields:
Using public sources we were able to verify various fields in the sample data, and found it to be authentic and active. The sample contains the details of suppliers who registered in February 2016, and are primarily from the Indian state of Gujarat. However, this may or may not be representative of the complete dump.
We notified IndiaMART and CERT India on 22-Jun-2020. While CERT India has responded, asking for more details about the leak, IndiaMART had not responded, at the time of publishing this article. If we receive a reply, it will be duly updated here.