Sensitive information of over 100 million credit and debit cardholders was leaked on the dark web. A security researcher reported that the data was leaked through a faulty server of Justpay, a mobile payments company.
The data leaked included phone numbers, email addresses, and full names of the cardholders as well as the first and last four digits of their cards. Justpay processes transactions for Indian and global merchants, including Swiggy, Amazon, Airtel, Vodafone Idea, Flipkart, and MakeMyTrip, among others. The Bengaluru-based company has acknowledged that some of its user data had been compromised in August.
A report by Gadgets 360 mentioned that the data leaked on the dark web contained information related to debit and credit card transactions that took place between March 2017 and August 2020. The leaked information contained several personal details of Indian cardholder as well as their customer IDs, card expiry dates, and masked card numbers with the first and last four digits of the cards.
The report also stated that particular transaction or order details were not part of the leak. Gadget 360 noted that “the surfaced details could be combined with the contact information available in the dump by scammers to run phishing attacks on the affected cardholders.”