Data of over 10 crore credit and debit cardholders have been leaked and sold for an undisclosed amount on the Dark Web by a hacker, said Independent cybersecurity researcher Rajshekhar Rajaharia on Sunday.
The data includes the names, phone numbers, and email addresses of the cardholders, along with the first and last four digits of their cards, reported NDTV.
Rajahria said the hacker contacted buyers on Telegram and was asking payments in Bitcoin.
The massive data dump leaked is being associated with Bengaluru-based digital payments platform Juspay. Juspay processes payments for Indian and global merchants including Amazon, Swiggy, MakeMyTrip etc.
According to the report, the data surfaced is related to all the online transactions that have taken place between March 2017 and August 2020. Along with other personal details, masked card numbers with the first and last four digits were visible.
Rajahria discovered the data dump earlier this week. He said the data was being sold with Juspay's name. Rajahria verified the association with Juspay after comparing the data fields available in the MySQL dump sample files he received from the hacker with the company's API Document file. "Both were exactly the same," Rajahria said.
Juspay confirmed the data breach to the media, though it did not provide any further details. Founder Vimal Kumar confirmed that on August 18, an 'unauthorised attempt' was detected, but it was terminated quickly.
He said that the data records containing non-anonymised email, phone numbers and masked cards used for display purposes were compromised. Kumar said that no card numbers, financial credentials, or transaction data were leaked.
"The masked card data (non-sensitive data used for display) that was leaked has two crore records. Our card vault is in a different PCI compliant system, and it was never accessed," Kumar was quoted as saying.
However, Rajahria said that the numbers could be decrypted despite being masked if the hacker figures out the card fingerprints' algorithm. Kumar disagreed with the researcher's argument.
Kumar said the company does hundreds of rounds of hashing with multiple algorithms, and the algorithms that they use are currently not possible to reverse engineer.
Last month, Rajahria discovered personal data of nearly seven million credit and debit cardholders' details through the dark Web.