BigBasket User Database Offered on Dark Web and Later Leaked for Free
Indian online grocer BigBasket was linked to a major data exposure after a threat actor advertised a database allegedly containing details of roughly 20 million users for sale on the dark web. Reporting said the records included customer information such as names, email addresses, phone numbers, physical addresses, dates of birth, password hashes, and IP addresses, raising concerns about follow-on phishing, account takeover, and identity fraud affecting a large portion of the company’s customer base.
The incident later escalated when the same alleged BigBasket dataset was reportedly released for free, making the information broadly accessible rather than limited to a private sale. The leak significantly increased the potential impact of the breach by lowering the barrier for cybercriminals to reuse the data in credential attacks and targeted scams, while intensifying scrutiny of the company’s security posture and breach response.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Alleged BigBasket user records leaked for free online
The same allegedly stolen BigBasket dataset, affecting roughly 20 million users, was later reportedly released for free rather than being sold. This marked an escalation from a sale listing to broad public exposure of the data.
BigBasket user database allegedly offered for sale on the dark web
Reports said a threat actor put data allegedly belonging to about 20 million BigBasket users up for sale on a dark web marketplace. The exposed information was described as including user details from the Indian online grocery platform.
Sources
2 references tracked. Mallory keeps watching after this page renders.
Hacker leaks 20 million alleged BigBasket user records for free
bleepingcomputer.com
Open sourceBigbasket faces potential data breach; details of 2 crore users put on sale on dark web | Business News - The Indian Express
indianexpress.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Dark Web Leak Claims Target Colis Privé and Multiple Online Services
Dark web monitoring reports described **unverified data leak claims** involving several organizations, including French parcel delivery firm **Colis Privé**. One post on **BreachForums** allegedly offered an upload of **22,564,381 records** attributed to Colis Privé, described as `.jsonl` files totaling **~4.1 GB**; no specific threat actor attribution or company confirmation was cited, and the notice characterized the situation as informational while scope is assessed. If authentic, the scale and format of the dataset would materially increase risk of **identity theft, credential stuffing, and targeted phishing** against customers. Separate dark web forum posts also alleged database exposures affecting **JobsGO** (Vietnam recruitment platform), **MyVete** (veterinary management platform), **PIXPAY** (Senegalese payment service), and **Groupe Fondasol** (France-based engineering). The claimed datasets reportedly include **CV/personal records**, and in some cases **API credentials and employee metadata**, with example figures including **~2.3 million records** for JobsGO and **~5.57 million records** for MyVete (verification not indicated). Across the claims, the primary business risk is downstream abuse of exposed personal and operational data for **social engineering, recruitment fraud, and account takeover**, rather than immediate exploitation of a specific software vulnerability.
Mar 21, 2026
Massive Credential Exposure Reveals Billions of Stolen Login Records
Researchers and media reports disclosed enormous troves of exposed login data, including an unprotected 47.42 GB database containing **184,162,718** unique usernames and passwords tied to services such as Microsoft, Facebook, Google, Instagram, Snapchat, Discord, Netflix, PayPal, and government portals in 29 countries. Security researcher Jeremiah Fowler found the database on an unmanaged server with no password protection or encryption, and sample records included account types, website URLs, and plaintext passwords labeled `senha`. Fowler said multiple individuals confirmed the leaked credentials were genuine after he contacted them directly. The exposed records are believed to be linked to **infostealer malware** and broader malware-as-a-service collection operations, with subsequent reporting describing a far larger cache totaling **16 billion** credentials affecting major consumer platforms including Apple, Facebook, and Google. The disclosures raise immediate risks of credential stuffing, account takeover, phishing, fraud, and unauthorized access to corporate and government systems. Public access to the 184 million-record database was later restricted after responsible disclosure to the hosting provider, but the owner of the data remains unidentified.
May 25, 2026
Hackers Claim InfoDesk Breach Exposed Employee Data at Pharma and Financial Firms
A threat actor has claimed to have breached enterprise intelligence software provider **InfoDesk** and is offering the allegedly stolen data for sale on a dark web forum. Reporting indicates the sample data included five records from each of 18 organizations, along with InfoDesk records, and the actor claimed to hold as many as 1,000 records in total. The exposed information reportedly consists primarily of employee full names and corporate email addresses tied to major organizations, including firms in the pharmaceutical, healthcare, financial, consulting, and nonprofit sectors; Cybernews specifically said the data involved employees at companies such as **Moderna**, **Johnson & Johnson**, and **Bayer**. Researchers said the immediate danger is not large-scale identity theft but highly targeted phishing and social-engineering attacks. Because the records appear linked to a known enterprise vendor, attackers could use the contact details to craft convincing lures for credential theft, malware delivery, or follow-on business email compromise. The alleged incident adds to broader concerns over third-party supplier exposure, where compromises at service providers can create downstream risk for multiple corporate customers at once.
May 25, 2026