Over 100 Million Credit, Debit Cardholders’ Data Leaked on Dark Web


Touchy data of over 100 million credit and debit cardholders has been leaked on the dark Web, according to a security researcher. The data included full names, phone numbers, and email addresses of the cardholders, in conjunction with the first and final four digits of their cards. It seems that to have been associated with payments platform Juspay that processes transactions for Indian and global merchants including Amazon, MakeMyTrip, and Swiggy, among others. The Bengaluru-based startup acknowledged that some of its user data had been compromised in August.

The data surfaced on the dark Web is related to online transactions that took place no less than between March 2017 and August 2020, the files shared with Gadgets 360 propose. It included personal details of several Indian cardholders in conjunction with their card expiry dates, customer IDs, and masked card numbers with the first and final four digits of the cards fully visible. Then again, specific transaction or order details aren’t it seems that part of the leak.

The surfaced details could be combined with the contact information to be had in the dump by scammers to run phishing attacks on the affected cardholders.

Cybersecurity researcher Rajshekhar Rajaharia discovered the data dump earlier this week. He told Gadgets 360 that the leaked data was once on sale on the dark Web by a hacker.

“The hacker was once contacting buyers on Telegram and was once asking payments in Bitcoin,” said Rajaharia.

He told Gadgets 360 that the data dump was once selling on the dark Web with the name of Juspay and he was once in a position to find its linkage with the company upon some commentary. The company also confirmed a data breach to Gadgets 360, though it did not supply further details.

The researcher said that to ensure the organization with Juspay, he compared the data fields to be had in the MySQL dump samples files he received from the hacker with a Juspay API Document dossier. “Both were precisely the same,” he said.

Without providing any specifics around the newest data leak, Juspay founder Vimal Kumar told Gadgets 360 that an “unauthorised attempt was once detected” on August 18 that was once terminated when in progress.

“No card numbers, financial credentials, or transaction data was once compromised,” Kumar said in an email. “Data records containing non-anonymised email, phone numbers and masked cards used for display purposes (contains first four and final four digits of the card, which isn’t thought to be touchy), were compromised.”

Kumar added that the email and mobile information was once “a small fraction of the 10 crore records” and most information was once anonymised on the servers. He also claimed that the 10 crore records were not the card details and were the customer metadata, with a subset containing email and mobile information of users.

“The masked card data (non-sensitive data used for display) that was once leaked has two crore records. Our card vault is in a different PCI compliant system and it was once never accessed,” he said.

Rajaharia alleged that despite being masked, the card numbers could be decrypted whether a hacker would figure out the algorithm used for the card fingerprints. Then again, Kumar didn’t believe the researcher.

“We do hundreds of rounds of hashing with more than one algorithms and actually have a salt (another number appended to the card number). The algorithms that we use are currently not imaginable to reverse engineer even provided enough compute resources,” he said.

Juspay received some data samples from its cybersecurity partner Cyble a couple of days back that it is still evaluating. Kumar told Gadgets 360 that Juspay informed its merchant partners the same day it observed the unauthorised access to its servers.

The company also identified security gaps in some of its older access keys used by developers and made two-factor authentication (2FA) mandatory for all of the tools accessed by its teams, the executive stated.

Then again, Rajaharia says that the security side of Juspay is still not that sound. He told Gadgets 360 that he noticed a configuration issue on the company’s site that is currently redirecting to malicious websites.

“An old unused domain (used for a beta testing product) was once pointing to an AWS Internet Protocol (IP) which has been reclaimed by another AWS user whose server is having this satisfied,” Kumar said.

The main points to be had on the Juspay site show that it has a team of over 150 people that reach 50 million users day by day. Its products are claimed to process over four million day by day transactions and its system development kits (SDKs) are to be had on over 100 million devices. Companies including Amazon, Airtel, Flipkart, Vi (Vodafone Idea), Swiggy, and Uber are among its key clients enabling payments for their customers.

Founded in 2012, Juspay holds Payment Card Industry Data Security Standard (PCI DSS) Compliance Level 1, which is the highest level of compliance provided by the PCI Security Standards Council to payment merchants.

Final month, Rajaharia found personal data of seven million Indian credit and debit cardholders leaked through the dark Web. Touchy data of over 1.3 million Indian banking customers also appeared on the dark Web in 2019.

Experts incessantly point out that data leaks are getting more common in India as the country is expanding its digital infrastructure but without proper regulations on cybersecurity. The lack of a privacy protection law may be putting no compulsion on companies operating in the country to offer protection to their user data firmly.

What’s going to be the most exciting tech launch of 2021? We discussed this on Orbital, our weekly technology podcast, which you’ll subscribe to via Apple Podcasts, Google Podcasts, or RSS, download the episode, or just hit the play button below.

Top stories / News / Tech / Gadgets


Please enter your comment!
Please enter your name here