Data from more than 100 million credit and debit card holders leaked on the dark web
The sensitive data of more than 100 million credit and debit card holders has been leaked on the dark web, according to a security researcher. The data included the full names, phone numbers and email addresses of the cardholders, along with the first and last four digits of their cards. It appears to have been associated with the payment platform Juspay which processes transactions for Indian and global merchants including Amazon, MakeMyTrip, and Swiggy, among others. The Bengaluru-based startup acknowledged that some of its user data had been compromised in August.
The data emerged in the dark web is related to online transactions that took place between at least March 2017 and August 2020, files shared with Gadgets 360 suggest. It included personal details of various Indian cardholders along with their card expiration dates, IDs of customers and card numbers masked with the first and last four digits of the cards fully visible. However, the details of the particular transaction or order are apparently not part of the leak.
The details that appeared could be combined with the contact information available at the landfill by scammers to execute phishing attacks on affected cardholders.
Cybersecurity researcher Rajshekhar Rajaharia discovered the data dump earlier this week. He told Gadgets 360 that the leaked data was for sale on the Dark Web by a hacker.
“The hacker was communicating with buyers on Telegram and requesting payments on Bitcoin Rajaharia said.
He told Gadgets 360 that the data dump was being sold on the dark web under the name of Juspay and was able to find his link to the company after some observation. The company also confirmed a data breach to Gadgets 360, although it did not provide further details.
The researcher said that to verify the association with Juspay, he compared the data fields available in the sample MySQL dump files he received from the hacker with a Juspay API document file. “They were both exactly the same,” he said.
Without providing details on the latest data breach, Juspay founder Vimal Kumar told Gadgets 360 that an “unauthorized attempt” was detected on August 18 that was canceled while it was in progress.
“No card numbers, financial credentials or transaction data were compromised,” Kumar said in an email. “Data records containing non-anonymized emails, phone numbers and masked cards that are used for display purposes (contain the first four and last four digits of the card, which are not considered sensitive), were compromised”
Kumar added that the email and mobile information was “a small fraction of the 10 crore records” and most of the information is anonymized on servers. It also claimed that the Rs 10 crore records were not card details and were customer metadata, with a subset containing users’ email and mobile information.
“The data on the masked card (non-confidential data used for display) that was leaked has records of two million rupees. Our card vault is on a different PCI compliant system and was never accessed, ”he said.
Rajaharia claimed that, despite being masked, the numbers on the card could be deciphered if a hacker figured out the algorithm used to fingerprint the card. However, Kumar disagreed with the investigator.
“We do hundreds of hashing rounds with multiple algorithms and we also have a salt (another number added to the card number). The algorithms that we currently use are not possible to reverse engineer, even with sufficient computing resources, ”he said.
Juspay received some data samples from its cybersecurity partner Cyble It is still being evaluated for a few days. Kumar told Gadgets 360 that Juspay informed its business partners on the same day that it observed unauthorized access to its servers.
The company also identified security gaps in some of its older passwords used by developers and made two-factor authentication (2FA) mandatory for all tools accessed by its teams, the executive said.
However, Rajaharia says that Juspay’s security side is still not that strong. He told Gadgets 360 that he noticed a configuration problem on the company’s site that is currently redirecting to malicious websites.
“An old unused domain (used for a beta test product) pointed to an AWS Internet Protocol (IP) that had been claimed by another AWS user whose server has this content,” said Kumar.
Details available on the Juspay site Show which has a team of more than 150 people who reach 50 million users daily. Its products are claimed to process more than four million transactions daily and its systems development kits (SDKs) are available on more than 100 million devices. Companies included Amazon, Airtel, Flipkart, Saw (Vodafone idea), Swiggy and Uber They are among your key customers that enable payments for your customers.
Founded in 2012, Juspay is Level 1 Compliance with the Payment Card Industry Data Security Standard (PCI DSS), which is the highest level of compliance given by the PCI Security Standards Council to merchants. of payments.
Last month, Rajaharia found personal data from seven million Indian credit and debit cardholders leaked through the dark web. Sensitive data of more than 1.3 million Indian bank customers It also appeared on the dark web in 2019.
Experts often point out that data leaks are becoming more common in India as the country is expanding its digital infrastructure, but without the proper regulations on cybersecurity. The lack of a privacy protection law does not oblige companies operating in the country to firmly protect their users’ data.