Boat, which currently leads the Indian audio wearables market, is apparently the latest victim of a massive data breach affecting millions of customers. According to a post on a hacker forum, a data trove linked to a staggering 7.5 million Boat wearable buyers is now available with a hacker who goes by the username ShopifyGUY.
The leaked data contains a wide range of personally identifiable details, such as name, email address, home addresses, product name, amount paid, date of transaction, purchase/customer ID, and more. Athenil Media accessed a small subset of the data and was able to verify the authenticity of the leak by dialing up a handful of the affected customers.
This won't be the first instance of its kind, nor is it surprising. Incogni recently reported that India sits at the second spot on the list of countries that are most frequently targeted by data broker breaches. Earlier in March, an Indian marketing analytics firm Gamooga was involved in a dangerous data leak targeting well-known brands such as Nykaa, Swiggy, BigBasket, ICICI, Tata Motors, and Redbus, among others.
The latest Boat incident is not too different in terms of severity. So far, it is unclear if the data has been sold to brokers or bad actors on the dark web. Athenil Media has reached out to the hacker and a few other members on the forum that seem to be keen on getting their hands on the leaked customer details.
The data brokerage industry is worth hundreds of billions of dollars, and given the depth of customer details leaked, it will be a hot property for bad actors to get their hands on. Identity theft, financial fraud, phishing scams, credential stuffing, and social engineering attacks are just some of the avenues for raising hell.
A simple yet effective social media scam?
So far, Boat hasn't responded to how the breach happened. There are some clues, starting with the "ShopifyGUY" username on the hacker forum, which curiously is associated with only two posts, both detailing the same Boat data dump.
On the Consumer Complaints Court forum, there are a whole bunch of grumbles and grievances that link Boat and Shopify, an e-commerce platform, as two interconnected elements of a social media scam. The idea is familiar – dangle an irresistible deal, get the cash, and scoot off with all the details provided by an average online shopper.
It seems misleading ads appearing on social sites such as Instagram, claiming to offer Boat gear at deeply discounted prices, are behind the leak. These ads redirected customers to websites that used the "Boat" brand name with different variations – such as Boatnirvana.co.in, earboat.ind.in, boatlifesty.in, boatsounds.com, boatkart77.myshopify.com, boat-house75.myshopify.com, boat-blooth.myshopify.com — among others.
Most of these URLs have now gone defunct. PayU served as the payment gateway for these fraudulent transactions, and the hoodwinked customers even got confirmation about the same in their email inboxes. What the whole charade was missing, as expected, were crucial online purchase details such as tracking ID or shipment link.
Here's a sample of one of those fake ads:
It is quite likely that these shady websites collected all the data that was leaked, which was illicitly scraped and found its way to hacker forums and/or data brokerage marketplaces. However, it sounds truly extraordinary that nearly 7.5 million people would fall victim to an online scam promising earbuds at lower than market price.
Moroever, given the horribly inadequate and downright shit data protection safeguards at Indian companies – and especially government portals – it is quite plausible that Boat's data servers were breached. We are awaiting more details from the Boat and cybersecurity agencies on the whole incident.
In the meanwhile, if you are out shopping for gizmos and come across a social media deal that's too good to be true, then it probably is. Also, please check the URL of the websites before you hit that checkout button. If something looks off, run like hell!