In what could be one of the biggest data leaks in India, the data of 10 crore cardholders has been leaked on the dark web in form of a data dump and is being sold for an undisclosed amount. According to a report by Inc42, which put screenshots of the leaked database, the data appears to have been leaked through a compromised server of Juspay. The mobile payment solution company has its headquarters in Bengaluru.
The leak includes sensitive information like a user’s card brand, whether VISA or Mastercard, the type of card whether debit or credit, the masked card number, customer ID, merchant ID account, card fingerprint, the name on the card, and more.
Juspay data breach: Everything to know
“In all, over 16 fields of data relating to their payment cards have been leaked for at least 2 crore users, as conceded by Juspay, a subset of the total number of user records (10 crores) that have been leaked,” as per Inc42 report. Phone numbers and email addresses of users were leaked in another subset.
A Juspay spokesperson said in a statement to the website that an unauthorized attempt on its servers was made on August 18, 2020. However, it was terminated and no financial credentials or transaction data was compromised, it added. “Some data records containing non-anonymized, plain-text email, and phone numbers were compromised, which form a fraction of the 10 crore data records.” He further revealed that its merchant partners were intimated about the data leak on the same day.
In some places, data has been masked to reveal only partial information, which makes a financial scam difficult, though it can still be used by hackers for phishing scams. Cybersecurity researcher Rajshekhar Rajaharia told Inc42 that it is possible to decrypt masked card numbers if a hacker can find out the algorithm used to generate the card fingerprint.
“The masked card data (which is not sensitive) has 2 Cr user records. Our card vault, in a different PCI-compliant system with encrypted card data, was never accessed,” the Juspay spokesperson added. He added that ‘ShinyHunters’ group was trying to gain access to any accessible data after gaining access to one of Juspay’s developer keys.