620 million user records from 16 websites. The hacker has now stolen data from eight more websites including Ixigo.
According to a TechCrunch report, the hacker has stolen 18 million user records from Ixigo and 40 million from live video streaming site, YouNow. Citing the listing of websites, the data consists largely of email IDs and hashed passwords. Ixigo used an old and outdated MD5 hashing algorithms, which makes it easier for hackers to unscramble the passwords.
The Gurgaon-based company claims that it has already taken pre-emptive security measures for its users. The company enabled two-factor authentication, reset passwords, and security tokens of its users. The company’s founder Aloke Bajpai said that the company will continue to investigate the breach and issue notification to its users to reset their passwords.
In a statement to TOI, Bajpai said, “Ixigo is currently investigating this alleged security breach. We are travel marketplace and we take our users’ data and privacy seriously. We do not store payment, cards, or financial information for any of users. We encrypt and hash our passwords with one way-hashing algorithm.”
The startup was launched in 2006, which later received funding Sequoia Capital India, Fosun RZ Capital, and SAIF Partners. The company claims to have a user base of 100 million. Ixigo platform helps users compare and book from more than 120 travel suppliers and OTAs across flights, hotels, trains, cabs and destination.
This is not the first major data leak targeting an Indian startup. Earlier online food delivery platforms like Zomato, FreshMenu faced similar data leaks. Zomato had also issued notification to its users to reset the password. This month, even State Bank of India had experienced a glitch that possibly leaked sensitive data of its account holders, however the bank has denied the same.
The lack of data-centric legislation is a prime concern for Indians internet users. The Ministry of Electronics and Information Technology (MeitT) has formulated a Draft Personal Data Protection Bill that prescribes penalties for violations in processing personal data.