Indian search service provider Justdial has been caught amidst a major data breach which has reportedly leaked user data of 100 million users who have registered once on the site. The leaked data contains not only the names and email IDs but also the mobile numbers and addresses of the users, all of which are publicly available.
An independent security researcher by the name of Rajshekhar Rajaharia has revealed a major security flaw inside Justdial’s search engine database exposing personal data of 100 million registered users. Of the affected users, 70 percent of this information has been collected by just ringing up JustDial’s number “88888 88888”.
Rajaharia first published a post on Facebook which said: “Dear Justdial Your 100 Million users data including name, email, mobile number, gender, dob, address, photo, company, occupation & other details are publicly accessible”. As reported by Inc42, Rajahari also shared screenshots of the data found on Justdial’s servers which revealed sensitive information of its users and that too through a public URL that didn’t need a hacker to penetrate into its servers.
The researcher added that the breach has been possible due to an older version of Justdial’s app which has been left unmodified since 2015. There are also four other app APIs which remain unprotected during the course of the last four years. Rajaharia confirmed that while Justdial had reached out to him, the loophole is still in existence and that data can still be accessed by people who enter the specific public URL.
In a statement released to Inc42, Justdial senior database architect, Rajeev Nair said “We are still investigating the system for any such alleged loopholes. We have been trying for the past two-three days and as far as we are concerned there is no loophole. Most of our systems and APIs are foolproof and there are security and coding enrichments that we do around it. We will explore further on the front pointed out by the security researcher and arrest it as soon as we can, if at all there is any loophole like this”.
The latest incident of data breach adds to the list of security flaws that have haunted tech companies in the past few months. Earlier this year, Facebook was allegedly spotted extracting user data through its Facebook Research VPN app but the social media giant refused to claims that it spied on its users. Flipkart was also caught in the middle of data leaks as scam callers disguised as Flipkart employees called customers and convinced they were for real by revealing details of the last order. Jharkhand government was also caught amidst data breach when Aadhaar numbers of several employees were left exposed after a lapse in security inside the state government’s online portal.