In another breach of personal data, sensitive information of over 100 million credit and debit cards users has been leaked on the dark web. The breach reportedly took place from the server of Juspay, a digital payment processing service.
A report by Gadgets360 highlights the data breach that took place in August last year, which has now been confirmed by Juspay. The leaked data reportedly includes names, phone numbers, and email addresses of the debit and credit cardholders as well as the first and last four digits of the cards.
The report mentions that the data leak occurred between March 2017 and August 2020. It highlights that the data included "personal details of several Indian cardholders along with their card expiry dates, customer IDs, and masked card numbers with the first and last four digits of the cards fully visible."
The report acknowledges that even though much sensitive data was leaked, digital transactions and order details were not part of this.
It also affirms that the data leaked through the Juspay servers is now being sold on the dark web for an undisclosed amount.?Cybersecurity researcher Rajshekhar Rajaharia spotted the data set being sold on the dark web under the?name of Juspay. ¡°The hacker was contacting buyers on Telegram and was asking payments in Bitcoin,¡± said Rajaharia.
Juspay has acknowledged the data breach since it came to light. However, the company maintains that the leaked information was not "sensitive".
¡°On 18 August 2020, an unauthorised attempt on our servers was detected and terminated when in progress. No card numbers, financial credentials or transaction data were compromised. Some data records containing non-anonymised, plain-text email and phone numbers were compromised, which form a fraction of the 10 crore data records,¡± Juspay founder Vimal Kumar said, as highlighted in a Firstpost report. "The masked card data (which is not sensitive) has 2 Cr user records. Our card vault, in a different PCI-compliant system with encrypted card data, was never accessed," he added.
Even though the data related to cards and transactions was masked and cannot be used for financial scams, it can very well be used by miscreants to conduct phishing attacks on these users.??
Since Juspay offers payment processing services to several e-merchants like Amazon, MakeMyTrip, and Swiggy, several of the users of these platforms that dealt through the payment service might be left vulnerable to such phishing attacks.