Aditya Birla Capital Digital (ABCD) has restored client gold lost to hackers and conducted a forensic audit of the matter, even as the breach highlights vulnerabilities around application interface protocols (APIs) that helps apps work with each other.
On 24 June, ABCD filed a first information report (FIR) with the cyber cell of the Mumbai Police, stating digital gold of ₹1.95 crore was sold off without customer consent. The company’s information security team found digital gold from 435 accounts was sold without authorization on 9 June. The complaint also said an unknown person had hacked the API endpoint of the ABCD app.
Digital gold allows customers to own gold without having to store it physically. These are backed by gold stored in vaults. Mint has seen a copy of the FIR.
“We have conducted an independent forensic audit, and recommended actions have been implemented to enhance robustness of the platform,” an ABCD spokesperson said in an emailed response. “We have also enforced additional preventive measures, including strengthened encryption and validation checks to reinforce platform security.”
APIs are snippets of code that help online services work with each other. These allow financial services to authenticate a person’s identity, accept payments and more, acting as digital gateways that interlink any app with any service on the internet.
“This person (hacker) bypassed the normal transaction flow and illegally initiated digital gold sales from various customer accounts without their consent,” the FIR said. It said that when customers who want to purchase or sell digital gold through the ABCD app must register their mobile number. Purchases can be made directly, but sales require OTP (one-time password) verification sent to the registered mobile number. The proceeds from these unauthorized transactions, the complaint said, were transferred into several bank accounts.
Cyber security experts said such breaches are common globally, raising concerns on them surfacing at more Indian companies.
Lalit Kalra, partner and leader, cyber security and data privacy at EY India, said that unsecured or misconfigured API endpoints, which Aditya Birla faced, is “a growing threat for all”. “From leaking personal data to enabling account takeovers, APIs have become a goldmine for attackers,” said Kalra.
Most modern data breaches aren’t about breaking in—they’re about walking in through a forgotten API, he said, adding that common issues like insecure authorization and sensitive data in responses can leave organizations exposed.
The app is housed under Aditya Birla Capital Digital Ltd, a wholly owned subsidiary of Aditya Birla Capital Ltd that was incorporated in March 2023. It cost ₹100 crore to build, according to statements by company executives at its launch, and has products around credit, investments, insurance and payments.
“All our services on the platform are live and fully secure. All the impacted customers have been proactively reached out by us and their Digi Gold holdings have been systematically restored to their respective accounts,” the company spokesperson said.
According to Sidharth Mutreja, co-founder and chief technology officer of homegrown cyber security firm RockLadder Technologies, API vulnerabilities are what cyber criminals track in their quest to find a “backdoor”.
“There is an increasing number of managed security solutions that help track such vulnerabilities. Even then, weak encryption is one of the most common factors for these breaches proliferating globally,” Mutreja added.
EY’s Kalra said that with increasing regulations such as India’s Cert-In rules and the Digital Personal Data Protection Act, companies will face “increasing cost of compliance if their technical gateways such as API endpoints are not adequately guarded.” “The costs, especially for smaller companies, can be crippling,” he added.
Cert-In mandates a six-hour reporting window for hacks such as ABCD’s digital gold breach, failing which companies face punitive measures from the government.