A security researcher has reported that, private information belonging to over 100 million debit and credit cardholders has been leaked to the dark web. The data leak happened from mobile payment processor Justpay. Information in the data leak includes; names, phone numbers, and email addresses of the Just pay users, first and last digits of debit/credit cards. Justpay is a huge payment processor and they process payments for Amazon, Swiggy, MakeMyTrip, Airtel, Swiggy, Vodafone, Uber, Cred, Ola and Flipkart.
According to reports from tech blogs, the data leak contained information related to debit and credit card transactions that happenned between March 2017 and August 2020. The data leaked on the dark web consisted of the names of the debit and credit cardholders, customer IDs and first and last digits of the cards. Indian cybersecurity researcher, Rajshekhar Rajaria discovered the data leak a week ago.
Rajaharia said that the leaked data was available for sale on the dark web. The amount is undisclosed and it is selling with the name of Juspay. “The hacker contacted buyers on Telegram and asked for payments in Bitcoin,” Rajaharia said. Justpay has acknowledged the data leak.
Juspay founder Vimal Kumar told said:
“On August 18, 2020, an unauthorized attempt on our servers was detected and terminated when in progress. No card numbers, financial credentials or transaction data were compromised. Some data records containing non-anonymised, plain-text email and phone numbers were compromised, which form a fraction of the 10 Core data records,”
Kumar said that the data leaked does not include the card details that could compromise finances in the credit/debit card of the users. User metadata containing the mobile phone and email addresses of the users was the only information that was compromised in the data leak.
Vimal Kumar told said:
“The masked card data (non-sensitive data used for display) that was leaked has two crore records. Our card vault is in a different PCI compliant system and it was never accessed. We do hundreds of rounds of hashing with multiple algorithms and also have a salt (another number appended to the card number). The algorithms that we use are currently not possible to reverse engineer even given enough compute resources,”.
Upon discovering the data leak, Juspay claimed it informed its merchant partners and enhanced its cybersecurity measures. Just pay claims that it processes over 2 million transactions every day.
Danger of this data leak
Although Juspay has admitted that its data was compromised between 2017 and 2020, it has kept information about the attack limited. It says that no sensitive data that could compromise the finances of its users was leaked.
While that is technically true, the position of Justpay overlooks the impact of losing email and phone numbers that phishing hackers can utilize in their activities.