Monitoring The Dark Web & Discovering The Breach

The initial disclosure of the breach was made by Dunzo it self on the 11th of July 2020. As part of our continuous monitoring of 4000+ Surface, Deep & Dark Web Forums for data breaches, we discovered this database being sold on DarkWeb forums around the first week of July 2020.

The forum post claims that the data contains 8,493,681 rows of user data and the hacker has suggested that the initial breach took place in June 2020. On analysing the breach data, we found there were 5,969,986 rows of data published as part of this leak and the breach itself took place around the 20th of June 2020.

Dunzo Data Breach Published on Dark Web Forums

Inside The Dunzo Data Breach

The database contains a single table: Users_DunzoUser

id, password, last_login, is_superuser, uuid, first_name, last_name, email, phone, country_code, type, status, device_token, phone_type, phone_make, date_joined, last_updated, secret_key, app_version, registered_on, registered_platform character, send_logistics_pricing, send_logistics_pricing_image_format, last_pricing_version_shared, preferred_mode_of_payment, credit_amount, credit_score, maximum_retries_count, profile_data_updated_on_firebase, merchant_id, permission_role, user_status, flow_version, extra_data_json, city_id, current_runner_task_id, source, first_known_location, last_known_location, referral_code, referred_by_code, advertising_id, device_id, bucket_id

The passwords in the database seem to be stored using Django Password Hashes (Salted SHA 256 hash with 20000 iterations), while some users don’t have a password string in the database since they are most likely using social or OTP based login. In-addition to the email addresses, mobile numbers, IP addresses & password hashes the GPS locations of the users while they installed and last used the application along with details about their phone devices are also available.

Dunzo Data Breach

General Recommendations

Since the password hashes have been leaked, there is a significantly likelihood of password stuffing attacks taking place against various platforms where the same email / mobile and password are being used. In-addition to this, threat actors can use the email addresses to send spam, phishing emails, and launch other online scams.

So, as a rule of thumb:

• Use strong passwords.
• Enable multi-factor authentication for all your online accounts.
• Don’t open unsolicited email attachments and links, especially from senders you don’t recognise.
• Don’t share OTPs with third-parties.
• Review online accounts and financial statements periodically.
• Regularly update your apps and any other software you use.

The post Dunzo Data Breach Published on DarkWeb Forum – 6 Million Users Impacted appeared first on ShadowMap.