An alleged leaked database can potentially lead to unauthorised transactions from accounts of Flipkart customers who also used grocery platform BigBasket with common user ID and passwords, an independent cyber security expert said on Wednesday.
According to the expert Rajashekhar Rajaharia, cyber criminals are selling sets of email addresses and passwords of customers from allegedly leaked databases of BigBasket that match with accounts of e-commerce firm Flipkart and Amazon.
However, he said Amazon sends OTP for login when there is change in browser. "It seems, some people are selling Bigbasket Email:Password combinations as Flipkart data. People are using the same password for all websites. Almost all emails are matching with Bigbasket DB (database). Change your Flipkart Passwords asap," Rajaharia tweeted.
He also said Flipkart should secure its accounts. "Anyone with a combination of leaked email and password can easily login from anywhere including VPN/TOR to Flipkart. Please mandatory 2FA ( two-factor authentication) for all accounts," Rajaharia said.
He also posted account details being sold on Telegram. When contacted, a Flipkart spokesperson said the group is absolutely focused on maintaining the safety and security of customer data and has robust information security systems and controls in place.
"In parallel, to create awareness on fraudulent activities we drive awareness campaigns across various media and social channels, educating customers on best practices for safe online experience and to keep their accounts safe from unscrupulous cyber elements," the spokesperson said.
Queries sent to Amazon and BigBasket did not elicit any immediate response.