Brinztech Alert: Alleged Database of Buddy Loan is Leaked (11 Million Records)

Dark Web News Analysis

A threat actor on a known cybercrime forum is advertising the sale of a massive database allegedly belonging to Buddy Loan (buddyloan.com), a major Indian fintech marketplace for personal loans. The dataset reportedly contains 11 million customer records dating from 2024.

Brinztech Analysis:

• The Target: Buddy Loan is a prominent loan aggregator in India, partnering with RBI-approved lenders to offer personal loans. It collects extensive financial and personal data to assess creditworthiness.
• The Likely Source (KillSec): Intelligence reports confirm that Buddy Loan was previously listed as a victim of the KillSec ransomware group in early 2025 (alongside other Indian entities like Apollo Hospital and Auto Dukan). This new “alleged” leak is likely the public sale or re-circulation of the data exfiltrated during that campaign, now being monetized by data brokers.
• The Data: The leaked fields are highly sensitive and specific to lending:
  • Financial PII: Monthly Income, Employment Details, Salary Mode, and Existing EMIs.
  • Identity Documents: PAN (Permanent Account Number) and Aadhar Numbers.
  • Banking: Credit Card Information and Bank Details.

Key Cybersecurity Insights

This alleged data breach presents a severe threat to Indian loan seekers:

• High Utility for “Digital Arrest” Scams: The combination of PAN, Aadhaar, and Mobile Numbers is the “holy grail” for identity theft in India. More dangerously, the “Employment Details” and “Income” data allow scammers to launch highly convincing “Digital Arrest” scams—posing as law enforcement or tax officials claiming money laundering on the victim’s account, citing real financial data to force compliance.
• Loan Application Fraud: With access to salary slips (implied by “salary mode/income”) and KYC documents, attackers can apply for fraudulent loans across other fintech apps in the victim’s name.
• Regulatory Fallout (DPDP Act): This breach falls under the scope of India’s Digital Personal Data Protection (DPDP) Act, 2023. If confirmed, Buddy Loan faces mandatory reporting obligations to the Data Protection Board of India and potential penalties up to ₹250 crore for failing to prevent the processing of personal data by unauthorized actors.
• Reputational Damage: As a loan aggregator, trust is Buddy Loan’s primary asset. A breach of 11 million records erodes confidence among both borrowers and the lending partners (banks/NBFCs) who rely on the platform for leads.

Mitigation Strategies

In response to this claim, Buddy Loan users must take immediate action:

• Mandatory Password Reset: Users should change their Buddy Loan passwords immediately. Crucially, check if the same password was used for linked email or banking accounts and rotate those as well.
• Monitor Credit Reports (CIBIL): Affected users must check their CIBIL or Experian credit reports monthly. Look for any unauthorized loan inquiries or new accounts opened in 2024-2025.
• Lock Biometrics (Aadhaar): Users should lock their Aadhaar biometrics via the mAadhaar app or UIDAI website to prevent unauthorized KYC authentication.
• Phishing Vigilance: Be extremely skeptical of calls referencing your loan application status, EMI dates, or income tax discrepancies. Verify all such claims by calling the official organization directly.

Secure Your Business with Brinztech — Global Cybersecurity Solutions Brinztech protects organizations worldwide from evolving cyber threats. Whether you’re a startup or a global enterprise, our expert solutions keep your digital assets safe and your operations running smoothly.

Questions or Feedback? For expert advice, use our ‘Ask an Analyst’ feature. Brinztech does not warrant the validity of external claims. For general inquiries or to report this post, please email us: contact@brinztech.com