Sensitive data of 100 million users leaked on Dark Web
What's the story
Sensitive data of over 100 million users has been leaked on the Dark Web, according to security researcher Rajshekhar Rajaharia, who discovered the data dump last week. The data, allegedly linked to payments platform Juspay, includes information like full names of the users, their phone numbers and email addresses, as well as the first and last four digits of their debit or credit cards.
Key details
Data related to online transactions processed between March 2017-August 2020
According to Gadgets360, the leaked data is related to online transactions processed "at least between March 2017 and August 2020." Though particular transaction details are not available in the files, the leaked data includes "personal details of several Indian cardholders" along with their customer IDs, the first and last four digits of their credit/debit cards, as well as the expiry dates of these cards.
The victim
Leaked data belongs to Juspay, claims cybersecurity researcher
According to Rajaharia, the leaked data was available on Dark Web with the name of Juspay - a Bengaluru-based payments platform that processes transactions for clients like Amazon, MakeMyTrip, Airtel, Swiggy, Uber, Ola and Flipkart. The researcher claims to have verified the association of the leaked data with Juspay by comparing the data field in leaked files with a Juspay API document file.
Official words
'A hacking attempt happened but no financial credentials were compromised'
"On August 18, 2020, an unauthorized attempt on our servers was detected and terminated when in progress. No card numbers, financial credentials or transaction data were compromised," a Juspay spokesperson said. "Some data records containing non-anonymized, plain-text email and phone numbers were compromised, which form a fraction of the 10 crore data records," the person added.
Targeted attacks
Leaked data could be used to run phishing attacks
Juspay claims that only masked card data was leaked and the company's PCI-compliant card vault was never accessed. However, as per Rajaharia, the card numbers could be decrypted if a hacker figures out the algorithm used for the card fingerprints. He also warns that the leaked data and the contact information could be used to run phishing attacks on the affected cardholders.