boAt users should worry because their personal data is leaked on dark web

If you are a customer of a boAt product, you have likely provided your contact details and possibly other sensitive information to the company. According to a new report, your data, along with those of over 7.5 million customers, may have been a part of one of the biggest data breaches of an Indian company lately. The customer data, including personally identifiable information (PII) such as name, address, email address, contact number, and more, is now up for sale on the dark web. Anyone can buy this information for as low as 2 euros, according to security analysts who said the company would likely not acknowledge this breach.

What has happened?

Forbes India has reported that a hacker who goes by ‘ShopifyGUY’ has claimed the data breach, which includes information furnished by users of boAt Lifestyle’s audio products and smartwatches. Over 75 lakh entries in the dump could be used in malicious activities beyond financial fraud. Anyone intending to target individuals and the capacity to buy the data could kick-start a series of phishing and identity theft attacks on boAt’s customers.

The report also cites Threat Intelligence Researcher Saumay Srivastava to say there is a possibility of sophisticated social engineering attacks, as well, prompting activities such as unauthorised access to bank accounts, proxy transactions and credit card fraud. Talking about how this data breach impacts the relationship between boAt and its customers, he said there would be “a loss of customer confidence” alongside other consequences related to legal actions and reputational damage.

What will boAt do about it?

boAt has yet to acknowledge the data breach, meaning there is still no word from the company about what has happened. Considering the volume of data leaked on the dark web, the company should ideally notify all its users, irrespective of whether the leak impacts them, and investigate how the breach happened. Following this should be the launch of stringent security measures to safeguard user data. However, according to Security Brigade’s founder Yash Kadakia, the company is more likely to deny the data breach and move on, leaving its customers high and dry uneventfully. The data, currently on sale for eight credits on some forums, will eventually end up on Telegram channels for no cost, he said. That would make the data more easily accessible to hackers, spammers, and malicious actors.