Data Of Over 10 Crore Indians Leaked, Sold On Dark Web: Cybersecurity Researcher
Writer: Devyani Madaik
A media enthusiast, Devyani believes in learning on the job and there is nothing off limits when it comes to work. Writing is her passion and she is always ready for a debate as well.
India, 4 Jan 2021 2:29 PM GMT | Updated 4 Jan 2021 2:54 PM GMT
Editor : Shubhendu Deshmukh |
Shubhendu, the quint essential news junky, the man who loves science and politics in equal measure and offers the complete contrast to it by being a fan of urdu poetry as well.
Creatives : Abhishek M
" An engineer by profession, Abhishek is the creative producer of the team, graphic designing is his passion and travelling his get away. In more ways than one, he makes the content visually appealing."
The data includes the names, phone numbers, and email addresses of the cardholders, along with the first and last four digits of their cards.
Data of over 10 crore credit and debit cardholders have been leaked and sold for an undisclosed amount on the Dark Web by a hacker, said Independent cybersecurity researcher Rajshekhar Rajaharia on Sunday.
The data includes the names, phone numbers, and email addresses of the cardholders, along with the first and last four digits of their cards, reported NDTV.
Rajahria said the hacker contacted buyers on Telegram and was asking payments in Bitcoin.
The massive data dump leaked is being associated with Bengaluru-based digital payments platform Juspay. Juspay processes payments for Indian and global merchants including Amazon, Swiggy, MakeMyTrip etc.
According to the report, the data surfaced is related to all the online transactions that have taken place between March 2017 and August 2020. Along with other personal details, masked card numbers with the first and last four digits were visible.
Rajahria discovered the data dump earlier this week. He said the data was being sold with Juspay's name. Rajahria verified the association with Juspay after comparing the data fields available in the MySQL dump sample files he received from the hacker with the company's API Document file. "Both were exactly the same," Rajahria said.
Juspay confirmed the data breach to the media, though it did not provide any further details. Founder Vimal Kumar confirmed that on August 18, an 'unauthorised attempt' was detected, but it was terminated quickly.
He said that the data records containing non-anonymised email, phone numbers and masked cards used for display purposes were compromised. Kumar said that no card numbers, financial credentials, or transaction data were leaked.
"The masked card data (non-sensitive data used for display) that was leaked has two crore records. Our card vault is in a different PCI compliant system, and it was never accessed," Kumar was quoted as saying.
However, Rajahria said that the numbers could be decrypted despite being masked if the hacker figures out the card fingerprints' algorithm. Kumar disagreed with the researcher's argument.
Kumar said the company does hundreds of rounds of hashing with multiple algorithms, and the algorithms that they use are currently not possible to reverse engineer.
Last month, Rajahria discovered personal data of nearly seven million credit and debit cardholders' details through the dark Web.
Also Read: Pakistan: 11 Coal Miners From Minority Shia Hazara Community Shot Dead By ISIS