Sensitive information of over 100 million credit and debit cardholders was leaked on the dark web. A security researcher reported that the data was leaked through a faulty server of Justpay, a mobile payments company.
The data leaked included phone numbers, email addresses, and full names of the cardholders as well as the first and last four digits of their cards. Justpay processes transactions for Indian and global merchants, including Swiggy, Amazon, Airtel, Vodafone Idea, Flipkart, and MakeMyTrip, among others. The Bengaluru-based company has acknowledged that some of its user data had been compromised in August.
A report by Gadgets 360 mentioned that the data leaked on the dark web contained information related to debit and credit card transactions that took place between March 2017 and August 2020. The leaked information contained several personal details of Indian cardholder as well as their customer IDs, card expiry dates, and masked card numbers with the first and last four digits of the cards.
The report also stated that particular transaction or order details were not part of the leak. Gadget 360 noted that “the surfaced details could be combined with the contact information available in the dump by scammers to run phishing attacks on the affected cardholders.”
The data dump was discovered by cybersecurity researcher Rajshekhar Rajaharia earlier this week. He told Gadget 360 that the leaked data was on sale on the dark web by a hacker. Rajaharia said, “The hacker was contacting buyers on Telegram and was asking payments in Bitcoin.”
Juspay founder Vimal Kumar told Gadgets 360, “On August 18, 2020, an unauthorised attempt on our servers was detected and terminated when in progress. No card numbers, financial credentials or transaction data were compromised. Some data records containing non-anonymised, plain-text email and phone numbers were compromised.”
Kumar noted that the email and mobile information was “a small fraction of the ten crore records” and most information was anonymised on the servers. He also said that the ten crore records were not the card details and were the customer metadata, with a subset containing email and mobile information of users.
He added, “The masked card data (non-sensitive data used for display) that was leaked has two crore records. Our card vault is in a different PCI compliant system and it was never accessed.” However, Rajaharia alleged that despite being masked, card numbers could be decrypted if a hacker would figure out the algorithm used for the card fingerprints.
Upon discovering the data breach, Justpay informed its merchant partners and enhanced its cybersecurity measures. The company claims it is responsible for processing over 2 million transactions every day.