Update (January 6, 2021): A Juspay spokesperson reached out to BGR.in saying that the data of only 3.5 crore customers were breached. Also Read - Personal data of 1.3 million Clubhouse users leaked online: Report
“Juspay was victim of a malicious and unlawful cyberattack on August 18, 2020. Our threat response system immediately detected the breach and we were able to terminate the attack. Our immediate audit post the incident narrowed the breach to an isolated system containing non-sensitive masked card primarily used for display purposes on merchant UI. While we estimate information of 35 million customers to be breached – it is important to note that customers’ full card numbers, order information, card PINs, or passwords are secure. The compromised data does not contain any transaction or order information. The claim that data of 100 Mn Indians was breached is grossly incorrect,” as per the statement. Also Read - Pakistan-based hackers behind the recent Airtel data leak: Report
In what could be one of the biggest data leaks in India, the data of 10 crore cardholders has been leaked on the dark web in form of a data dump and is being sold for an undisclosed amount. According to a report by Inc42, which put screenshots of the leaked database, the data appears to have been leaked through a compromised server of Juspay. The mobile payment solution company has its headquarters in Bengaluru. Also Read - Personal data of more than 70 lakh Indians leaked on the dark web
The leak includes sensitive information like a user’s card brand, whether VISA or Mastercard, the type of card whether debit or credit, the masked card number, customer ID, merchant ID account, card fingerprint, the name on the card, and more.
Juspay data breach: Everything to know
“In all, over 16 fields of data relating to their payment cards have been leaked for at least 2 crore users, as conceded by Juspay, a subset of the total number of user records (10 crores) that have been leaked,” as per Inc42 report. Phone numbers and email addresses of users were leaked in another subset.
A Juspay spokesperson said in a statement to the website that an unauthorized attempt on its servers was made on August 18, 2020. However, it was terminated and no financial credentials or transaction data was compromised, it added. “Some data records containing non-anonymized, plain-text email, and phone numbers were compromised, which form a fraction of the 10 crore data records.” He further revealed that its merchant partners were intimated about the data leak on the same day.
In some places, data has been masked to reveal only partial information, which makes a financial scam difficult, though it can still be used by hackers for phishing scams. Cybersecurity researcher Rajshekhar Rajaharia told Inc42 that it is possible to decrypt masked card numbers if a hacker can find out the algorithm used to generate the card fingerprint.
“The masked card data (which is not sensitive) has 2 Cr user records. Our card vault, in a different PCI-compliant system with encrypted card data, was never accessed,” the Juspay spokesperson added. He added that ‘ShinyHunters’ group was trying to gain access to any accessible data after gaining access to one of Juspay’s developer keys.