Boat (stylized boAt), India's largest audio wearable brand, was the target of a data breach earlier this week. We reported on a probable link with an ongoing Shopify-related scam that targeted discount-crazy folks on social media with crazy good deals on Boat products. Well, it seems that was not the only source of stolen data and some poor bloke's hard-earned dough (or daddy monies).
ShopifyGUY, the profile behind the Boat data dump containing over 7.5 million entries, told Athenil Media that the entire cache of customer information was pulled due to choppy security measures the consumer electronics brand put in place. Another member of the same hacker forum told us that the data was most likely stolen from Boat's servers — and not some third-party or intermediary.
"The data was taken from Shopify's API using one of Boat's access keys," the hacker told us. "This was not a vulnerability in Shopify LLC. Just Boat not safeguarding their keys."
F* them. That is what they get.
Apparently, the group behind the data dump reached out to multiple divisions at the company and even claims to have contacted Aman Gupta, co-founder of Boat, who also appears on the popular TV show Shark Tank India. Gupta recently bought a stake worth Rs. 1 crore in a startup named AI Kavach that seeks to boost ... wait for it ... safety and security on smartphones.
The leaked data, however, is no laughing deal. It comprises personally identifiable details such as name, email address, home addresses, product name, amount they paid, date of transaction, purchase or customer ID, and more. Athenil Media confirmed the authenticity of the leaked data via phone calls and linked it to customers who bought Boat products in the past few months.
And here is the most surprising part. The entire data is available for less than a cup of coffee, and I'm not even talking about an overpriced sugar-bomb cup-of-piss stuff like Starbucks. All that massive trove of Boat customer data is available to download right from the hacker forum for eight credits, which comes around ₹192 ($2.30) based on current conversion rates.
It's so cheap that the hacker didn't even put it up for sale, highlighting the pathetic state of security guardrails in the Indian digital ecosystem. "There is no selling of the data; it is available for, like, 8 credits, which is basically free, ShopifyGUY told Athenil Media.
We reached out to Vedansh Kumar, Head of Brand Marketing at Boat, for a statement. He pointed us in the direction of Arun Mittal, Head of Communications and Special Projects, but he has yet to respond. This story will be updated accordingly as we hear from the company.
Update - Response from Boat:
“boAt is aware of recent claims regarding a potential data leak involving customer information. We take these claims seriously and have immediately launched a comprehensive investigation. At boAt, safeguarding customer data is our top priority.”