Critical Credit and Debit Card information of over 100 million users leaked on the Darkweb. The data leaked through a faulty server of a Bengaluru based startup Juspay. The startup processes transaction for Amazon, Swiggy, Airtel, Vi, Uber, and many other merchants.
The startup acknowledged the leak but the number revealed now by a Security Researcher Rajshekhar Rajaharia. The data of transactions processed between March 2017 to August 2020 are on the list apparently not the transactions themselves.
The data leaked include Credit/Debit cards starting and ending four digits, Card expiry date, Customer IDs, Full Names, Phone Numbers, and Email Addresses. The leaked data is in the form of MySQL which the hacker was selling on Darkweb and Telegram. The MySQL data and Juspay API data is exactly the same, found the researcher.
The startup acknowledges the leakage but as per them, only metadata of the customers were leaked and not any sensitive information.
No card numbers, financial credentials, or transaction data was compromised. Data records containing non-anonymised email, phone numbers and masked cards used for display purposes (contains first four and last four digits of the card, which is not considered sensitive), were compromised.Vimal Kumar, Founder – Juspay
Moreover, Kumar told Gadgets 360 that the company told their merchant partners about such breach of servers. He also told that the algorithm the company using is not possible to reverse engineer.