Online bookstore BookChor leaks personal data of its 500,000 users

BookChor, an online marketplace for pre-owned books, has apparently suffered a data breach leaking the details of over 500,000 of its registered users.

The company has not yet acknowledged the breach or shared any specifics about the same.

Founded in 2015 by Alok Raj Sharma, Bhavesh Sharma, Prateek Maheshwari, and Vidyut Sharma, BookChor is an e-commerce platform which sells pre-owned books at affordable prices and also allows users to list their old books and sell to interested buyers directly. It is a handy service for buying cheaper second-hand books and old textbooks.

An anonymous user on a database sharing and marketplace board online has posted the entire SQL dump of 533,275 registered users of BookChor (505,373 unique email addresses). The dump includes full names, phone numbers, email numbers, photos, date of birth, physical addresses, device type, etc. in the following format.

"id","facebook_id","google_id","gcm_id","device_token","name","email","image","password","remember_token","gender","dob","phone","phone_status","account_type_id","ip_id","status","date_added","login_count","active","api_token","otp","move_status","created_at","updated_at"

The dump also includes hashed passwords (except for those users who used a social authentication, but the hashing algorithm employed is unsalted MD5—while MD5 is a generally a good checksum, it isn't a secure password hashing algorithm because it doesn't really safeguard against a brute force attack. Quite easy to crack these passwords, that is.

I have seen the dump, and can verify the details. I have no idea about the intent and the modalities of the leak though.

A sample of the leaked names, email addresses, and phone numbers (masked)

The data dump is from February 18, although the leak was revealed on March 26. I'm deliberately not linking to the forum post to avoid wider reach of the leaked database. At the time of publishing though, the links to the dump are dead. It looks like the files have been deleted. Is BookChor working things out?

Links to download the data dump (masked); now deleted

I tried getting in touch with BookChor over phone (the founders do not have their contact details listed on LinkedIn or elsewhere) for clarification but I've not received a call back as assured over the two calls. I've now dropped them an email, and will update the story per their response.

If you are a BookChor customer, there's not much you can do about the dump out there already. Do reach out to the company and urge them to make amends. If you use the same password with other online accounts as well, do change the password wherever the same one is used. Always use unique and complex passwords. Use a password manager; these things become seamless if you use one.


IF YOU'D LIKE TO SUPPORT MY WORK, BUY ME A COFFEE?
Photo by Nong Vang

Write a comment ...

Abhishek Baxi

Show your support

I write columns, talk on my podcast, publish a newsletter, and run a publication about podcasting.

Recent Supporters

Write a comment ...