CloudSEK has discovered a data leak that contains sensitive information of 40,000+ suppliers registered on IndiaMART. IndiaMART InterMESH Ltd. is an Indian e-commerce company that is an online marketplace for B2C, B2B, and customer to customer sales and services. As per their website, they have 6 million+ suppliers on the platform.
Discovery of the leakCloudSEK researcher Ashok Krishna discovered posts on 2 forums advertising a database of 43,920 suppliers registered on IndiaMART. On one forum the post was published on 20 June 2020 at 11:03 AM. The poster claims to have 49,000+ ‘Indiamart business data.’ In response to this post, another forum member commented that the dump contains 42,985 records, including email addresses. On the second forum the post was published on 22 June 2020 at 6:11 AM. The poster claims to have 43,920 records, even though the sample filename is ‘Indiamart 01 (Business) - 49000.xlsx.’ In response to this post another forum member commented that he/she has a total of 700k of this data and has shared a sample as well. We couldn’t verify the commenter’s claim. We downloaded the sample from the first forum to validate its contents.
The contents of the leakThe sample file contains 44 records and each record has the following fields:
- User ID
- First name
- Last name
- Phone number (landline)
- Mobile number (two mobile numbers)
- Email address
- Zip code
- Account created date
Data verification and validationUsing public sources we were able to verify various fields in the sample data, and found it to be authentic and active. The sample contains the details of suppliers who registered in February 2016, and are primarily from the Indian state of Gujarat. However, this may or may not be representative of the complete dump.
- Threat actors can use the PII in the data dump to orchestrate phishing campaigns, online and offline scams, and even identity theft.
- Since the source of the leak is not known, there is a possibility that threat actors can continue to exploit it. Whether a bug in the IndiaMART website or an unsecured database, if not remediated, could put 6 million+ suppliers on the platform at risk.
- Usually our mobile numbers and email IDs are linked to banking, mobile wallet, and other online accounts. Having these details makes it easier for threat actors to compromise the victims’ accounts.
Recommendations for the suppliers
- Check if your IndiaMART accounts have been tampered with.
- Enable multi-factor authentication.
- Don’t share OTPs with third-parties. While this is a rule of thumb, it is especially relevant in this case, because threat actors already have email IDs and phone numbers. So, the OTP is the only thing standing between threat actors and the victims’ accounts.
- Review all online accounts and financial statements for suspicious activity.
- Caution friends and family against threat actors impersonating you.
Recommendations for IndiaMART
- Inform the affected suppliers and ensure their accounts have not been compromised.
- Identify the source of the leak and fix the vulnerability at the earliest.
- Perform an audit to ascertain the full extent of the leak and check if threat actors have launched any other attacks.