Team-BHP > Shifting gears


Reply
 
Thread Tools Search this Thread
Old 22nd May 2020, 23:17   #1
Senior - BHPian
 
wheelguy's Avatar
 
Join Date: Jul 2019
Location: City of Destiny
Posts: 1,187
Thanked: 5,690 Times
Default Zoomcar's database hacked, data of 3.5 million users is up for sale

The data includes names, email ids, passwords, mobile numbers and IP addresses. The hacker is offering to sell data of Zoomcar users for $300.

Quote:
Personal data of around 3.5 million Zoomcar users has been up for sale on what is known as the Dark Web since Thursday, according to a cybersecurity consultant.

Dark Web refers to that area of cyberspace where content cannot be searched using normal search engines because it is encrypted.

“The hacker has been privately selling the data for $300 but now he has made it public on the Dark Web,” said Rajshekhar Rajaharia, the cybersecurity consultant who alerted Zoomcar about the hacker’s plan.

Zoomcar competes with other self-drive car rental startups such as Drivezy and Revv. The data breach took place in July 2018, according to the hacker.

Hackers avoid offering the stolen data for sale soon after a breach since that makes it easier for law enforcement officials to track their internet protocol (IP) addresses, Rajaharia said. Selling the data after a year makes it difficult to track the source of the breach. Zoomcar did not reply to an email seeking comment.
Source
wheelguy is offline   (8) Thanks
Old 22nd May 2020, 23:20   #2
BHPian
 
Nissan1180's Avatar
 
Join Date: May 2010
Location: .........
Posts: 559
Thanked: 1,383 Times
Default Re: Zoomcar's database hacked, data of 3.5 million users is up for sale

The worst consequence is that the driving license will be leaked. It can be used as an identity proof somewhere else.
Also, the breach took place 2 years ago. They are reporting on it now?

Last edited by Nissan1180 : 22nd May 2020 at 23:21.
Nissan1180 is offline   (1) Thanks
Old 22nd May 2020, 23:47   #3
BHPian
 
warrioraks's Avatar
 
Join Date: Jan 2020
Location: Delhi
Posts: 96
Thanked: 450 Times
Default Re: Zoomcar's database hacked, data of 3.5 million users is up for sale

Quote:
Originally Posted by Nissan1180 View Post
The worst consequence is that the driving license will be leaked. It can be used as an identity proof somewhere else.
Also, the breach took place 2 years ago. They are reporting on it now?
I think what the article intends to say is that the breach happened 2 years back but the company was alerted of it now.

Zoomcar has been struggling financially since some time (someone who worked in the company told me). Now they would see even tougher times because of lack of demand.
With this leak, the company has practically hit rock bottom. Infact the news could not have come at a better time for the company. Due to Corona, no one is renting their cars anyways.

Last edited by warrioraks : 23rd May 2020 at 00:02.
warrioraks is offline   (3) Thanks
Old 23rd May 2020, 00:05   #4
BHPian
 
Join Date: Jun 2014
Location: Mumbai
Posts: 152
Thanked: 128 Times
Default Re: Zoomcar's database hacked, data of 3.5 million users is up for sale

This is a good time to remind everyone here that if you used the same password as on zoomcar on any other websites, you should change them right now.
raksrules is offline   (20) Thanks
Old 23rd May 2020, 09:25   #5
Distinguished - BHPian
 
Join Date: Mar 2011
Location: Back to Chndgrh
Posts: 3,666
Thanked: 9,795 Times
Default Re: Zoom Car Reviews - Self Drive Rentals in India

Data of 3.5 million Zoomcar customers up for sale

Looks they messed up their backend just like their Ill-maintained cars.

https://auto.economictimes.indiatime...-sale/75901065
Turbanator is online now   (3) Thanks
Old 23rd May 2020, 09:33   #6
BHPian
 
ashishy's Avatar
 
Join Date: Apr 2009
Location: MH02
Posts: 197
Thanked: 91 Times
Default Re: Zoom Car Reviews - Self Drive Rentals in India

Quote:
Originally Posted by Turbanator View Post
Data of 3.5 million Zoomcar customers up for sale

Looks they messed up their backend just like their Ill-maintained cars.

https://auto.economictimes.indiatime...-sale/75901065
And this will be swept under the rug instead of addressing the issue like their customer support deals with customer grievances. Their greedy management and leadership needs to do some self introspection. Zoomcar is in a sad state now
ashishy is offline  
Old 23rd May 2020, 10:01   #7
BHPian
 
Join Date: Sep 2018
Location: Bangalore
Posts: 266
Thanked: 1,151 Times
Default Re: Zoom Car Reviews - Self Drive Rentals in India

Quote:
Originally Posted by Turbanator View Post
Data of 3.5 million Zoomcar customers up for sale
Such leaks and breaches are likely to further increase owing also to the increased WFH.

Everyone that had/has Zoomcar account should immediately change their password and as is typically recommended have a long (>15 char) convoluted password. I have an account with zoomcar as well although not using any more since very long.

In addition to changing the password, would be also good to enable the two-step authentications.
Miyata is offline  
Old 24th May 2020, 16:39   #8
BHPian
 
Join Date: Jun 2019
Location: Patna
Posts: 34
Thanked: 85 Times
Default Re: Zoomcar's database hacked, data of 3.5 million users is up for sale

Yesterday I read about a data leak from a job site. Over 3 crores CV's of Indians are for sale on dark web. A CV has every information on it. Full name, age, address, email, telephone number, birthdate, parents name and educational qualification.

https://www.outlookindia.com/newsscr...report/1844061

50 crores of Facebook users data with email, photo, location and all information was leaked few months ago.
Sran is offline   (3) Thanks
Old 24th May 2020, 16:54   #9
Team-BHP Support
 
Rehaan's Avatar
 
Join Date: Feb 2004
Location: Bombay
Posts: 23,054
Thanked: 27,862 Times
Default Re: Zoomcar's database hacked, data of 3.5 million users is up for sale

I have my doubts everytime "3.5 Million 'WEBSITE-X' passwords" are offered for sale on the dark web.


Most of the times, it's not a data breach. It's marketing.

What?? How?

Imagine this: Some hacker has collected emails, passwords, names, from hundreds of different sources along the years. Could be a when Geocities was breached in 2006 or when you clicked on a phishy link in 2012 and thought you were signing in to see some urgent document Pratik uncle shared with you.

The hacker now has that info, but doesn't really know what to do with it.

It's probably an old username, a very old password, and not much else.

Modern website security will make it a bit of a pain for him to test each of the 3.5 million logins against every bank's netbanking login. It will take forever (they rate-limit these things), chances of a hit are low, you'll probably need an OTP, and so it's probably not worth the effort.

So what does the smart hacker do?

He re-packages his little bundle to get traction & eyeballs. #marketing
"I have 3.5 million addresses & passwords collected over the last 15 years"
...is way less sexy than...

"LEAKED! User data of 3.5 million ZoomCar users"
The latter if timed well will also get tons of press. (eg. recently the Zoom (videoconferencing app) leak -- since that was the hot news, these guys just marketed their data for sale as 'zoom users').

Has anyone bothered to look through the 3.5 Million addresses and verify that they are all actually ZoomCar users? I think not.

If someone bought it, and verified that these 3.5 Million users are in fact NOT all ZoomCar users, is he going to get a refund from the hacker?


A second way this is marketing, is sometimes it's an excellent add-on to a smear campaign.

Ironically, the only people who'd be willing to spend $300 to check if this is true or false are ZoomCar themselves. That comes with it's own moral complications (eg. would you pay someone who stole from you?).


In closing:
- Don't believe every headline you read
- Don't use the same password on more than 1 website

Last edited by Rehaan : 24th May 2020 at 17:36.
Rehaan is offline   (22) Thanks
Old 24th May 2020, 22:40   #10
BHPian
 
Join Date: Dec 2016
Location: Bangalore
Posts: 122
Thanked: 337 Times
Default Re: Zoomcar's database hacked, data of 3.5 million users is up for sale

One easy way to check if your account has been compromised in a data breach is by using the website Have I Been Pwned. The site is mostly up to date with details of every new data breach and can tell you if and when your accounts have been compromised.
Attached Thumbnails
Zoomcar's database hacked, data of 3.5 million users is up for sale-screen-shot-20200524-10.39.31-pm.png  

TejasKinger is offline   (6) Thanks
Old 24th May 2020, 23:13   #11
BHPian
 
Join Date: Feb 2020
Location: TN22
Posts: 28
Thanked: 95 Times
Default Re: Zoomcar's database hacked, data of 3.5 million users is up for sale

Ways to be safe in my opinion:
1. Use social login like Google, Facebook, twitter whenever possible
2. Secure your social media accounts with 2fa (2 factor authentication) via either sms or a t-otp app like authy (free for all platforms) and a strong password. This will be only of the few passwords you'd ever have to remember.
3. If social login is not possible, use password manager (I personally recommend bitwarden (free and open-source for all platforms) to generate random password. Bitwarden will help with filling the password anyway. Bitwarden when using their paid subscription (their early plan is so cheap and affordable), checks for passwords you have saved against data breach databases.
4. Secure the password manager with 2fa again.
5. If your password manager comes with t-otp support, do not use it. If at all the password manager is compromised, your 2fa is as good as nothing. Always keep them separate.

Personally, I do not use password managers for high security accounts like my NetBanking. I have my own math algorithm to generate and rotate my passwords for them every 2 months so I do not forget them or reuse the older passwords ever. A overkill may be. But any protection is not the best protection in my opinion.
vijai is offline   (4) Thanks
Old 25th May 2020, 13:17   #12
BHPian
 
Join Date: Oct 2012
Location: Bangalore
Posts: 566
Thanked: 461 Times
Default Re: Zoomcar's database hacked, data of 3.5 million users is up for sale

Quote:
Originally Posted by TejasKinger View Post
One easy way to check if your account has been compromised in a data breach is by using the website Have I Been Pwned. The site is mostly up to date with details of every new data breach and can tell you if and when your accounts have been compromised.
Does it say on which sites the password has been compromised ?
girimajiananth is offline  
Old 25th May 2020, 13:51   #13
GTO
Team-BHP Support
 
GTO's Avatar
 
Join Date: Feb 2004
Location: Bombay
Posts: 56,919
Thanked: 156,066 Times
Default Re: Zoomcar's database hacked, data of 3.5 million users is up for sale

If the claim is true, I can imagine ZoomCar competitors lining up to purchase that data!

Meanwhile, ZoomCar has this to say:

Quote:
Greg Moran, Co-founder & CEO, Zoomcar added

The assertion pertaining to a breach of Zoomcar user’s password data is patently untrue. All Zoomcar data, including user passwords, is encrypted with strong algorithms that make it impossible for anyone to access. Moreover, we have a strict password rotation policy across all our assets along with a robust Akamai security layer. Furthermore, Zoomcar routinely works with external security auditors (including Big 4 audit firms) to ensure our systems & processes remain robust and best-in-class at all times.
Quote:
Originally Posted by warrioraks View Post
Zoomcar has been struggling financially since some time
I heard the same thing. Basically, more than half their target market (i.e. those visiting a new city) has been taken over by Uber / Ola. My source says the lack of funds show in their shoddy fleet quality & management.

Quote:
Originally Posted by girimajiananth View Post
Does it say on which sites the password has been compromised ?
I think that needs a subscription.
GTO is offline   (3) Thanks
Old 25th May 2020, 14:25   #14
Senior - BHPian
 
Join Date: Jun 2009
Location: Mumbai
Posts: 1,786
Thanked: 1,884 Times
Default Re: Zoomcar's database hacked, data of 3.5 million users is up for sale

Quote:
Originally Posted by GTO View Post
If the claim is true, I can imagine ZoomCar competitors lining up to purchase that data!

.
Not sure if I agree. If this is indeed hacked / stolen I should hope any competitor would think 10 times before buying it. Any investigation that traces a purchase to a competitor would definitely be bad for them legally as well as reputationally.
Axe77 is offline  
Old 25th May 2020, 17:43   #15
BHPian
 
Join Date: Dec 2016
Location: Bangalore
Posts: 122
Thanked: 337 Times
Default Re: Zoomcar's database hacked, data of 3.5 million users is up for sale

Quote:
Originally Posted by girimajiananth View Post
Does it say on which sites the password has been compromised ?
If this is what you mean, then yes. This is what shows up for my email address:
Attached Thumbnails
Zoomcar's database hacked, data of 3.5 million users is up for sale-screen-shot-20200525-5.41.35-pm.png  

TejasKinger is offline  
Reply

Most Viewed
Thread Tools Search this Thread
Search this Thread:

Advanced Search

Copyright ©2000 - 2020, Team-BHP.com
Proudly powered by E2E Networks