A New York-based payments startup left millions of credit card transaction records exposed for anyone to see on the Internet for nearly three weeks before securing it, a media report said on Thursday. Security researcher Anurag Sen found the database belonging to card payments processor Paay, TechCrunch reported after alerting the company about the finding. Also Read - Google Optimize feature launched to help keep websites updated through coronavirus pandemic
The database was pulled offline by Paay after it became aware of the issue. “On April 3, we spun up a new instance on a service we are currently in the process of deprecating,” Paay co-founder Yitz Mendlowitz was quoted as saying. “An error was made that left that database exposed without a password.” Also Read - Hackers creating scam sites similar to COVID-19 relief packages
To prevent fraudulent transactions, Paay verifies payments on behalf of selling merchants, but anyone could access the data inside because there was no password on the server. A review of a portion of the data base by TechCrunch revealed that each transaction contained credit card number and expiry date besides the amount spent, but as the data did not include names of the cardholder as well as card verification values, the exposure did not make it any easier for fraudsters to misuse it. Mendlowitz, however, said that his company does not store card numbers. Also Read - Coronavirus: Apple Mobility data reveals more than 70 percent decline in walking and driving after lockdown
During this time, when hackers and threat actors want to cash in their own pockets at the expense of others, this kind of exposed credit card transaction records could have lead to a bigger crisis. If you remember, Google recently reported that in just one week from 6 to 13 April, it saw more than 18 million daily malware and phishing emails related to Covid-19 scams.
Watch Video: Top 5 apps providing free services during coronavirus pandemic
Also, Hackers are creating scam sites similar to COVID-19 relief packages. These scam websites use the news of the coronavirus financial incentives, and fears about coronavirus to try and trick people into using the websites or clicking on links. Check Point Researchers found that since January, a total of 4,305 domains relating to new stimulus/relief packages have been registered globally. In March 2020, a total of 2,081 new domains were registered -38 malicious and 583 suspicious. In the first week of April, 473 were registered – 18 malicious, 73 suspicious.
Written with agency inputs