According to a security researcher, sensitive data of over 100 million credit and debit cardholders has been leaked on the dark Web. The data included full names, phone numbers, and email addresses of the cardholders, along with the first and last four digits of their cards. It appears to have been associated with the payments platform Juspay that processes transactions for Indian and global merchants, including Amazon, MakeMyTrip, and Swiggy, among others. The Bengaluru-based startup acknowledged that some of its user data had been compromised in August.
The data surfaced on the dark Web is related to online transactions that took place at least between March 2017 and August 2020, the files shared with Gadgets 360 suggest. It included several Indian cardholders’ details and card expiry dates, customer IDs, and masked card numbers with the first and last four digits of the cards fully visible. However, a particular transaction or order details are not a part of the leak.
The surfaced details could be combined with the contact information available in the dump by scammers to run phishing attacks on the affected cardholders.
Cybersecurity researcher Rajshekhar Rajaharia discovered the data dump earlier this week. He said that the leaked data was on sale on the dark Web by a hacker.
“The hacker was contacting buyers on Telegram and was asking for payments in Bitcoin,” said Rajaharia.
He said that the data dump was selling on the dark Web with the name of Juspay, and he was able to find its linkage with the company upon some observation. The company also confirmed a data breach, though it did not provide further details.
The researcher said that to verify the association with Juspay, he compared the data fields available in the MySQL dump samples files he received from the hacker with a Juspay API Document file. “Both were the same,” he said.
Without providing any specifics around the latest data leak, Juspay founder Vimal Kumar said that an “unauthorized attempt was detected” on August 18 that was terminated when in progress.
Over 100 Million Credit, Debit Cardholders’ Data Leaked on Dark Web
“No card numbers, financial credentials, or transaction data was compromised,” Kumar said in an email. “Data records containing non-anonymized email, phone numbers and masked cards used for display purposes (contains first four and last four digits of the card, which is not considered sensitive), were compromised.”
Kumar added that the email and mobile information was “a small fraction of the 10 crore records,” Most information was anonymized on the servers. He also claimed that the 10 crore records were not the card details and were the customer metadata, with a subset containing users’ email and mobile information.
“The masked card data (non-sensitive data used for display) that was leaked has two crore records. Our card vault is in a different PCI compliant system, and it was never accessed,” he said.
Rajaharia alleged that the card numbers could be decrypted despite being masked if a hacker would figure out the algorithm used for the card fingerprints. However, Kumar didn’t agree with the researcher.
“We do hundreds of rounds of hashing with multiple algorithms and also have a salt (another number appended to the card number). The algorithms that we use are currently not possible to reverse engineer even given enough compute resources,” he said.
Just pay received some data samples from its cybersecurity partner Cybele a few days back that it is still evaluating. Kumar told that Juspay informed its merchant partners the same day it observed the unauthorized access to its servers.
The company also identified security gaps in some of its older access keys used by developers and made two-factor authentication (2FA) mandatory for all the tools accessed by its teams, the executive stated.
However, Rajaharia says that the security side of Juspay is still not that sound. He told Gadgets 360 that he noticed a configuration issue on the company’s site currently redirecting to malicious websites.
“An old unused domain (used for a beta testing product) was pointing to an AWS Internet Protocol (IP) which has been reclaimed by another AWS user whose server is having this content,” Kumar said.
The details available on the Juspay site show that it has a team of over 150 people that reach 50 million users daily. Its products are claimed to process over four million daily transactions, and its system development kits (SDKs) are available on over 100 million devices. Companies including Amazon, Airtel, Flipkart, Vi (Vodafone Idea), Swiggy, and Uber are among its key clients, enabling their customers’ payments.
Founded in 2012, Juspay holds Payment Card Industry Data Security Standard (PCI DSS) Compliance Level 1, the highest level of compliance given by the PCI Security Standards Council to payment merchants.
Last month, Rajaharia found personal data of seven million Indian credit and debit cardholders leaked through the dark Web. Sensitive data of over 1.3 million Indian banking customers also appeared on the dark Web in 2019.
Experts often point out that data leaks are getting more common in India as the country is expanding its digital infrastructure without proper cybersecurity regulations. The lack of a privacy protection law also puts no compulsion on companies operating in the country to protect their user data firmly.