A security researcher has lately reported that sensitive data of more than a hundred million credit and debit cardholders have been breached and posted on the dark web. It has been reported that the dark web data leak was possible via a faulty server of JusPay, a mobile payments company.
The leaked data on the dark web contained names, email addresses and phone numbers of the users of JusPay along with the initial and last digits of their credit or debit cards. The mobile payments company, JusPay processes payments for the giant companies such as MakeMyTrip (MMT), Amazon, Airtel, Uber, Vodafone, Swiggy, Flipkart and Ola. The company claims of processing more than 2 million transactions per day.
As per the researcher’s report, the dark web data leak contained information on the credit and debit card transactions that occurred between March 2017 and August 2020. The leaked data held the names of the customers or the credit and debit cardholders, IDs of the customers along with the first and the last digits of the leaked credit and debit card numbers. The security researcher had unearthed the dark web data leak about a week ago.
The security researcher revealed to a daily that the breached data was made available on the dark web for sale, where the amount had not been disclosed. The hacked data was being sold under the name of JusPay.
“The hacker was contacting buyers on Telegram and was asking for payments in Bitcoin,” Rajaharia told the publication. JusPay had also acknowledged a data breach on its platform.”
“On August 18, 2020, an unauthorized attempt on our servers was detected and terminated when in progress. No card numbers, financial credentials or transaction data were compromised. Some data records containing non-anonymized, plain-text email and phone numbers were compromised, which form a fraction of the 10 Cr data records,” JusPay founder Vimal Kumar told a daily reporter.
The JusPay founder had also assured that the data hack did not include the users’ card details. The leaked information solely bore the customer metadata that contained the email addresses and mobile numbers of the victims.
“The masked card data (non-sensitive data used for display) that was leaked has two crore records. Our card vault is in a different PCI compliant system and it was never accessed. We do hundreds of rounds of hashing with multiple algorithms and also have a salt (another number appended to the card number). The algorithms that we use are currently not possible to reverse engineer even given enough compute resources,” he said.
Upon discovering the dark web data leak, JusPay had informed its merchant partners and had taken rigid steps in enhancing its cybersecurity measures.
Disclaimer: Read the complete disclaimer here.