In an attack on Juspay’s servers, security researchers have found that data of over 10 crore credit and debit cardholders has been leaked on the dark Web. The leaked data reportedly includes full names, email addresses, and phone numbers of the cardholders, along with the first and last four digits of their cards.
Juspay processes transactions for a host of companies including Amazon India, Swiggy, MakeMyTrip, etc. The data compromised seems to cover transactions that took place between March 2017 and August 2020 as per the data that has been shared with Gadgets360.
The report, however, suggests that particular transaction or order details are not a part of the leak. Cybersecurity researcher Rajshekhar Rajaharia discovered the leaked data that was being sold on Telegram in exchange for bitcoins as the payment method. He told Gadgets 360 that the leaked data was on sale on the dark Web by a hacker.
Juspay has confirmed the leakage of data to Gadgets360 but hasn’t provided any particular information about the same. Juspay founder Vimal Kumar told Gadgets 360 that, “On 18 August 2020, an unauthorised attempt on our servers was detected and terminated when in progress. No card numbers, financial credentials or transaction data were compromised. Some data records containing non-anonymised, plain-text email and phone numbers were compromised, which form a fraction of the 10 crore data records,” Juspay founder Vimal Kumar said.
“The masked card data (which is not sensitive) has 2 Cr user records. Our card vault, in a different PCI-compliant system with encrypted card data, was never accessed”, he added.
As per Rajaharia, the security side of Juspay is still not that sound. He told Gadgets 360 that he noticed a configuration issue on the company’s site that currently redirects to malicious websites.