Isreal cybersecurity researcher firm vpnmentor has reported a data leak that exposed data of more than 7 million BHIM app users through a misconfigured S3 bucket.
The exposed data includes financial details, photos, Aadhaar and PAN card details of more than seven million users and also private data such as name, home address, Aadhaar card details, bank records, along with a complete profile of individuals.
All related data from this campaign was being stored on a misconfigured Amazon Web Services S3 bucket and was publicly accessible
vpnmentor said
BHIM (Bharat Interface for Money) is an Indian mobile payment app developed by the National Payments Corporation of India (NPCI), based on the Unified Payments Interface (UPI) in 2016 and by the end of 2017, it has gained 12.5 million users. It was started with an initiative to facilitate safe, easy & instant digital payments through your mobile phone.
BHIM Users Data Leak
The firm said that the data was stored on an unsecured Amazon Web Services (AWS) S3 bucket. The exposed BHIM app data was labeled as “csc-bhim” on the S3 bucket.
Amazon S3 bucket is a public cloud storage resource available in Amazon Web Services‘ (AWS).
After identifying the data leak the frim contacted developers of cscbhim.com but after getting no response from them they contacted India’s Computer Emergency Response Team (CERT-In) that handles cybersecurity in India.
The exposed data includes highly sensitive, including many documents needed to open an account on BHIM
- Scans of Adhaar cards – India’s national ID
- Permanent Account Number (PAN) cards
- Professional certificates, degrees, and diplomas
- Scans of Caste certificates
- Screenshots of financial and banking apps as proof of fund transfers
- Photos used as proof of residence
The exposed data also includes personal data of the users such as name, home address, caste status, biometric data, Profile and ID photos, gender, government ID.
The exposed data includes massive CSV lists of merchant businesses signed up to BHIM, along with the business owner’s UPI ID number.
The misconfigured app also includes an APK. AWS Key pairs are equivalent to admin user/password in Amazon’s infrastructure giving the key access to the data gives an attacker an ability to start, stop, and control the server.
The sheer volume of data makes the data leak more concerning and the exposure of the APK in the server makes it even more concerning. Any skilled hacker can use his skills to target BHIM cloud storage and target it with malware and spyware to gain persistent access to the servers.
