eSewa data breached! A hacker releases nearly two dozen eSewa users’ details including passwords

Published On: October 9, 2020 05:25 PM NPT By: Republica | @RepublicaNepal

Denying data breach, eSewa blames third party sites for ‘phishing scams’

KATHMANDU, Oct 9: eSewa has suffered a massive data breach, exposing email addresses, phone numbers and passwords and other details of an undetermined number of its users.

The latest breach that compromises the data of at least two dozen eSewa users also exposes the vulnerability of the data at the online payment service provider that runs mobile wallet allowing its users to make fund transfers as well as online and offline payment through mobile phones or websites.

A hacker going by the twitter name @aparich95406002 has released the details of at least 21 users, including emails, balance amounts and passwords hidden behind asterisk characters. The tweet is no longer available as it has been removed by Twitter for violating its rules.

There were already speculations about the possible data breach after eSewa urged its users to change their passwords.

While the hacker has publicly released the data of nearly two dozen users, it is not immediately clear how many users’ data have been compromised.

Foodmandu, an e-commerce company providing on-demand food services, and Vianet, an internet service provider, also faced similar data breaches this year. In March, nearly 50,000 users’ data of Foodmandu were stolen and released online by a hacker. After a month, the personal details of nearly 170,000 Vianet customers were exposed by anonymous hackers.

The breach is considered more sensitive in the case of eSewa not only because of the users’ data privacy but also due to the risk of potential safety of the money that they hold on their digital wallet.

The breach is considered more sensitive in the case of eSewa not only because of the users’ data privacy but also due to the risk of potential safety of the money that they hold on their digital wallet.

However, it has not been clear whether any user suffering the breach has lost the money from their wallets.

eSewa, however, denies any hacking or data breach. Releasing a statement on Friday, eSewa said that it has already requested its users using web browser services to change their passwords after noticing that the data of some of its users were accessed illegally through a phishing scam.

It did not say how many users have become the victims of such phishing scams or what initiatives it has taken to protect its users from such phishing scams.

While denying the data breach, eSewa, in one of its Twitter replies, admitted that the ‘situation’ occurred due to a recent breach via third party sites.

“The recent situation did not occur because of the breach at our end. It seems to have occured due to a recent breach in third party sites. All of the information in eSewa platform is in encrypted format and is completely safe,” read the tweet.

Some eSewa users on social media have been demanding greater transparency from the company after the data breach.

“@eSewaNepal can you please be more forthcoming to users on data breach? Looks like there was since we have been asked to change the password and there is user data on twitter. Not cool. Why wasn't password encrypted?” Shisir Khanal (@shisir) asked in a tweet.

“Imagine one day your bank tells you that your locker has been stolen and that you need to register for a new locker. You see what I mean? As a major payment gateway of a country where is the accountability or at least a decent explanation as to why this happened?” Alok Timsina (@timsinalok) asked.

This is not the first time the concerns about the safety of the public’s money have been raised in eSewa wallets. An alleged involvement of Asgar Ali, Prime Minister KP Sharma Oli’s IT Consultant, in unethical 'hacking' of the news website in March end has left many people worried about their sensitive data and cash parked in the platform.

A news story on kathmandupress.com that was critical of Ali had disappeared from the site. It was later revealed that Shiran Technologies Pvt Ltd, which is also the developer of Kathmandupress website, had removed the news. eSewa and Shiran Technologies are both sister companies owned by F1Soft International where Ali is also a director. After pressures from F1Soft International's President Biswas Dhakal and Ali, founder and director of F1Soft, to remove the content did not work, the site developer reportedly removed the news story by entering the admin panel of the website.