data leaked

Tension grows as over 100 million Credit, Debit Cardholders’ data leaked on the dark web

Tension grows among civilians as a security researcher discovers that the personal data of millions of cardholders’ have been compromised. According to this recent discovery, personal information like full name, email address, phone numbers, and the first and last four digits of the card has been revealed on the dark web. Due to this glitch, the bank account and other sensitive data of 100 million debit and credit cardholders are at stake.

The leakage of sensitive information on the dark web seems to have been caused by the platform of Juspay. Just pay is a digital payment service that processes transactions for many Indian and global multinational companies like Swiggy, Amazon, etc. With India getting accustomed to the digital payment system, there is a huge potential for phishing attacks if proper security is not established.

Nature of data leaked

It was cybersecurity researcher, Rajshekhar Rajaharia, who discovered the data leak last week on the dark web. He informed Gadgets 360 about the leaked data and that it was up for sale on the dark web by some hacker. According to the files shared with Gadgets 360, the data of the cardholders’ that has been leaked is between the time frame of March 2017 to August 2020. The data surfaced on the dark web included personal details of Indian cardholders. From customer IDs to the expiry date of the cards were fully visible on the site.

Apparently, the transaction details have not been leaked on the dark web. But, the information leaked is enough to cause phishing attacks by the hackers after combining the personal details available in the dump. Since the hacker put the information on the sale, Rajaharia also informed that the hacker was contacting buyers in Telegram for negotiation. The payment was demanded in Bitcoin.

Research on the data leak

Rajaharia on further research found that the hacker was selling the information on the dark web in the name of Juspay. The company on being contacted confirmed that there was a data leak in the month of August but didn’t provide any further details. Rajaharia continued his investigation and further verified the direct link of leaked data with Juspay. He received some of the dump sample files from the hacker which he compared with a Juspay API Document file. He said, “both were exactly the same.”

data leak

Juspay’s founder acknowledges the data leak

Vima Kumar, the founder of Juspay, informed Gadgets 360 that the company detected an unauthorized attempt on 18th August of this year. He further mentioned that it was terminated in progress. Kumar, in an email, claims that no personal data like card number, financial credentials, or transaction data was compromised. But he also accepted that data “Data records containing non-anonymized email, phone numbers and masked cards used for display purposes (contains first four and last four digits of the card, which is not considered sensitive), were compromised.”

Kumar mentioned that the masked card data which is non-sensible data for display leaked has two crore records. And the card vault is connected to a different PCI compliant system and it was never accessed. In response to this comment, Rajaharia said that the masked card numbers can be decrypted if a hacker figures out the algorithm used for the card fingerprints. Kumar defended his statement saying that Juspay does hundreds of rounds of hashing with multiple algorithms. These algorithms are not possible to reverse engineer even if given enough computing assets.

To prevent such attacks again Juspay has identified the security gaps in the company and made two-factor authentication (2FA) compulsory for all the tools accessed by the team members. However, it is hard to predict the capabilities of hackers these days after the recent data breach in the American government system that shook the internet.

Not even cybersecurity

Rajaharia is convinced that the security system of Juspay is still not strong enough. He said that there still exists a configuration issue on the company’s site that redirects its users to malicious websites. A company as big as Juspay which has around 50 million daily users including major clients like Swiggy, Airtel, Flipkart, Uber, etc should be more vigilant. The company holds the highest level of compliance given by the PCI Security Standards Council to such payment merchants. So now it is their responsibility to ensure the safety of its users.