Upstox warns of serious data breach, resets passwords

Know-Your-Customer data of millions of stock-trading users compromised by hacking group.

Graham Cluley
@gcluley

Upstox warns of serious data breach, resets passwords

Indian stock trading firm Upstox has revealed to users that it has suffered a serious security breach that may have seen unauthorised criminal access to millions of customers’ personal information.

According to a statement posted by Upstox on its website, it became aware that criminals may have compromised its databases after receiving emails from the suspected hackers.

Customers’ names, contact information, date of birth, bank account information, and millions of KYC (Know Your Customer) details are believed to have been stolen by the ShinyHunters gang after they gained access to the company’s Amazon AWS key.

A breach of KYC data is particularly serious – because it can contain scans of ID cards, passports, photo ID, and other documents that help prove an individual’s address such as utility bills.

Such information helps financial organisations determine the true identity of a customer, and fight money laundering and the funding of terrorism, but if they fall into the wrong hands can be abused by identity thieves and scammers.

Sign up to our newsletter
Security news, advice, and tips.

Security researcher Rajshekhar Rajaharia told Medianama that the ShinyHunters gang were seeking a ransom payment from Upstox for the stolen data.

In response to the suspected breach, Upstox’s co-founder and CEO Ravi Kumar reassured customers that their funds remain safe, and said the company was strengthening its security:

“We would like to assure you that your funds and securities are protected and remain safe. Funds can only be moved to your linked bank accounts and your securities are held with the relevant depositories. As a matter of abundant caution, we have also initiated a secure password reset via OTP”

In addition, Upstox says it has temporarily disabled its desktop trading platforms, NEST trader terminal, Dartstock & Fox Trader. Users are advised to trade through its website instead.

Obviously it makes sense to ensure that you don’t use a password for your Upstox account that you are using anywhere else on the net, and don’t allow yourself to be tricked into sharing your OTP (one-time-password) code with anyone.

Upstox concludes by reminding customers that it takes customers’ security and privacy “very seriously.”

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.


Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.