Data Of 100 Milllion Cardholders Leaked On The Dark Web After Data Breach
Sensitive information of over 100 million debit and credit cardholders have been leaked on the dark web, a security researcher reported. The data has been leaked through a faulty server of mobile payments company Juspay. The data that was leaked on the dark web included names, phone numbers, and email addresses of the users, first and last digits of their cards. Juspay processes payments for companies including Amazon, MakeMyTrip, and Swiggy, among others.
The data that was leaked on the dark web contained information related to debit and credit card transactions that took place between March 2017 and August 2020. The data consisted of the names of the debit and credit cardholders, customer IDs and first and last digits of the cards. Cybersecurity researcher Rajshekhar Rajaria had discovered the data leak a week ago.
Rajaharia says that the leaked data was available on the dark web for sale for an undisclosed amount and it was selling with the name of Juspay. “The hacker was contacting buyers on Telegram and was asking for payments in Bitcoin,” Rajaharia told the publication. Juspay had also acknowledged a data breach on its platform.
“On August 18, 2020, an unauthorized attempt on our servers was detected and terminated when in progress. No card numbers, financial credentials or transaction data were compromised. Some data records containing non-anonymised, plain-text email and phone numbers were compromised, which form a fraction of the 10 Cr data records,” Juspay founder Vimal Kumar said.
Kumar assured that the data that was leaked did not include the card details of the users. It was only the customer metadata that contained the mobile and email addresses of the users.
“The masked card data (non-sensitive data used for display) that was leaked has two crore records. Our card vault is in a different PCI compliant system and it was never accessed. We do hundreds of rounds of hashing with multiple algorithms and also have a salt (another number appended to the card number). The algorithms that we use are currently not possible to reverse engineer even given enough compute resources,” he said.
Juspay upon discovering the breach in data had informed its merchant partners and enhanced its cybersecurity measures. For the unversed, Juspay offers the payment gateways for widely-used apps including Airtel, Swiggy, Vodafone, Uber, Cred, Ola and Flipkart. The company has claimed that it processes over 2 million transactions every day.