In what appears to be a massive data breach, user data of Reliance Jio subscribers can be found by entering the phone number on magicapk.com.
The leak appears to have surfaced earlier this month on a forum, with multiple users on Twitter confirming on Sunday that they are able to enter their Jio SIM number on magicapk.com, and see personal details, including their name, mobile number, email id, circle, SIM activation date, and Aadhaar number.
The website was suspended by the hosting provider around 11 PM, but before it went down, we were able to independently harvest user details by entering the phone number. It often took multiple tries, but we were successful. In no case, however, were we able to see an Aadhaar number.
Manan Shah, co-founder Avalance Global Solutions was also able to independently confirm the breach, and sent us over a dozen screenshots of leaked user details. FactorDaily was also able to independently find details on two users. “This data might have gotten leaked from a Reliance store, but that seems a distant possibility. It could have been leaked internally,” he said over a phone call. Independent accounts on Reddit also seem to confirm the breach.
A search for ‘whois’ details on the domain does not reveal the name or organisation of the person who registered the domain. The website was registered on May 18, 2017.
Also see: Meet Karsten Nohl, the German code-breaker securing Reliance Jio
Varun Krish, editor of Fonearena, was able to find details of himself and his team on the site before it went down. “Multiple people started messaging me asking whether this was real… I put my own number, and I was like f***,” he said.
However, none of the Aadhaar numbers were exposed in any of the searches he made. No Aadhaar numbers were exposed in any of the searches we made here at FactorDaily as well. “The SIMs that I got with Aadhaar number, either they are coming without the Aadhaar number, or not coming at all,” said Krish.
Also see: Why are Indian users so vulnerable to cyberattacks?
“Data privacy is a joke in India. There were stories of people selling Aadhaar numbers earlier. This data is not very sensitive, but it is still a data breach,” Krish said. “I don’t want anybody to know my email address, for instance. Although it is becoming very easy to find this data on Truecaller, it is still irresponsible data management from Jio.”
A Reliance Jio spokesperson offered the following statement when we asked them to confirm the data breach.
“We have come across the unverified and unsubstantiated claims of the website and are investigating it. Prima facie, the data appears to be unauthentic. We want to assure our subscribers that their data is safe and maintained with highest security. Data is only shared with authorities as per their requirement. We have informed law enforcement agencies about the claims of the website and will follow through to ensure strict action is taken.”
Updated at 8.15am on July 10, 2017, to correct the date of registration of magicapk.com. It earlier said the website was registered on May 18, 2017.
Updated at 8.59am on July 10, 2017 to correct the date or origin of the leak.