Dubsmash, Big Basket and others fall victim of data leaks.
02 May 2021BREACHAWARE HQ
A total of 16 breach events
were found and analysed resulting in 63,941,524 exposed accounts
containing a total of 8 different data types of personal datum
. The breaches found publicly and freely available included Dubsmash, Big Basket, Animoto, At Space and Cheat Master. Sign in to view the full
library of breach events which includes, where available, reference articles relating to
each breach.
Categories of Personal Data Discovered
Contact Data, Technical Data, Locational Data, Financial Data.
Data Breach Analysis
The nature of these platforms ranges from consumer-facing tech and e-commerce to niche entertainment and online service providers. Despite their differences, these breaches share common threads: the scale of affected data, the diversity of its use cases, and the long-term implications of its public and free availability.Dubsmash, a short-form video platform that gained popularity before the rise of TikTok, represents a particularly concerning case. Given the nature of its service, some users may also have uploaded profile photos, connected their social media accounts, or interacted with a public audience. When such platforms are breached, it’s not just the profile data that is compromised but also the metadata surrounding user behaviour, logins, account creation dates, and sometimes even IP addresses or session activity. Considering its largely youthful user base, the exposure of Dubsmash data extends potential risks into reputational harm and digital identity manipulation.
Big Basket, a major Indian online grocery retailer, underscores the more utilitarian but deeply personal dimension of breach incidents. While credit card numbers are not always stored, even partial transaction data, paired with names and emails, can be useful for fraudsters. Moreover, the demographic profile of Big Basket’s customer base, which includes households across India’s urban centres, adds another layer of regional specificity to the risk. A breach of this nature has implications not just for the customers, but also for regulatory compliance and trust in India’s growing e-commerce sector.
Animoto, a cloud-based video creation service, may at first seem low-risk due to its creative orientation. However, users of platforms like Animoto often store media, associate accounts with professional profiles, or even link third-party services for integration purposes. If OAuth tokens, API keys, or backend identifiers were part of the breach, this would introduce a vector for secondary compromise. Even without that, the mere association of users with sensitive or commercial projects, especially if these projects were intended to be confidential, can have reputational or business consequences. Animoto also supports paid tiers, so exposure may include billing-related information or subscription metadata.
At Space, a European-based free web hosting provider, likely attracted a wide variety of users ranging from casual bloggers to small businesses or hobbyist developers. Hosting platforms are particularly sensitive targets, as a compromise may involve not just user accounts but also web content, configurations, and possibly FTP credentials. If administrative credentials or control panel access were included in the breach, malicious actors could deface websites, inject malware, or redirect traffic. Such breaches tend to have downstream effects, particularly if hosted sites included forms, user registration modules, or integrations with other online services.
Cheat Master represents the darker, underground side of the internet's breach landscape. As a platform potentially associated with gaming cheats or hacks, its user base is niche but also cautious. Users of such platforms often seek anonymity, use pseudonymous handles, and operate with a greater awareness of operational security. A breach of this nature may not expose traditional real-world identity data, but it may link usernames and email addresses to behaviour users intentionally tried to keep separate from their public or professional lives. The implications here are less about financial risk and more about exposure and accountability, especially if users are associated with TOS violations or ethically questionable behaviour.
This range of data types provides a complete enough picture of an individual to allow profiling, phishing, or social engineering at scale. Hashed passwords, while better than plaintext, vary significantly in terms of protection based on hashing algorithm strength and salting practices. If weak hashes or unsalted formats were used, cracking becomes a trivial process for actors with basic computing power.
A user with accounts across multiple platforms could face compounded exposure. For instance, if the same email address appears in both the Dubsmash and Big Basket breaches, with similar passwords, an attacker could potentially pivot from one platform to another, gaining more insight with each step. This sort of cross-platform correlation is increasingly common in the data aggregation circles of cybercrime forums, where publicly available breach data is used to build composite identities.
The fact that these datasets were made publicly and freely available is another critical element. When breach data circulates openly, often uploaded to anonymous file-sharing sites or pastebins, it ceases to be the domain of specialist attackers and becomes accessible to a much wider group. This includes amateur hackers, curious onlookers, and would-be social engineers. It lowers the barrier to exploitation and makes preventative responses much harder. Public breach data also allows companies and journalists to verify leaks, but this transparency comes at the cost of control and containment.
It’s worth considering that some of these platforms may not have acknowledged the breaches publicly, especially if the leaks occurred outside of any formal breach notification process. In other cases, the data may be older and part of past incidents that were partially addressed or underreported. The blend of known and lesser-known brands in this group shows that data vulnerability does not discriminate by size or popularity.
The cumulative figure of 63 million accounts is significant on its own, but it becomes even more pressing when considering the varied audience segments: from Indian households to European web developers, from creative professionals to mobile-first youth. The breaches touch not only consumer identities but also professional roles, technical infrastructure, and behavioral data.
What emerges is a mosaic of digital risk, stitched together by a patchwork of compromised platforms, inconsistent security practices, and a global user base that increasingly has little say in how or where their data ends up. For those who work in digital privacy, law enforcement, journalism, or corporate risk, breaches like these offer both a warning and a dataset. They provide insight into what’s leaking, who is affected, and how patterns emerge across platforms.