Juspay Data Leak: Over 100 Million Credit & Debit Card Details On Sale Sets Alarm Bells Ringing

New Delhi: Time and again people are warned against cybercrimes that can cost them millions of rupees. And now, dark web is proving to be a favourite hunting ground for the cybercriminals.

According to researchers, over a 100 million credit, debit cardholders’ data leaked on dark web. It includes full names, phone numbers, and email addresses of the cardholders, along with the first and last four digits of their cards.

This was associated with payments platform Juspay that processes transactions for Indian and global merchants, including Amazon, MakeMyTrip, and Swiggy, among others.

The data that was leaked was related to online transactions that took place at least between March 2017 and August 2020.

Rajshekhar Rajaharia Cybersecurity researcher says that the leaked data was on sale on the dark Web with the name of Juspay by a hacker.

 “The hacker was contacting buyers on Telegram and was asking payments in Bitcoin,” said Rajaharia.

Juspay founder Vimal Kumar said that an, “Unauthorised attempt was detected” on August 18 that was terminated when in progress.”

“No card numbers, financial credentials, or transaction data was compromised,” Kumar said in an email.

 “Data records containing non-anonymised email, phone numbers and masked cards used for display purposes (contains first four and last four digits of the card, which is not considered sensitive), were compromised.”

Kumar added that the email and mobile information was, “A small fraction of the 10 crore records” and most information was anonymous on the servers. He also said that the 10 crore records werea the customer metadata, with a subset containing email and mobile information of users.

 “The masked card data (non-sensitive data used for display) that was leaked has two crore records. Our card vault is in a different PCI compliant system and it was never accessed,” he said.

Rajaharia alleged that if a hacker would figure out the algorithm that is used for the card fingerprints then it is possible to do the decryption of the card numbers. However, Kumar didn’t agree with this information.

“We do hundreds of rounds of hashing with multiple algorithms and also have a salt (another number appended to the card number). The algorithms that we use are currently not possible to reverse engineer even given enough compute resources,” he said.

Juspay’s cybersecurity partner, Cyble, provided some data samples a few days back that it is still evaluating. Kumar said that Juspay informed its merchant partners on the same day it observed the unauthorised access to their servers.

The company has also identified security gaps in some of its older access keys used by developers and made two-factor authentication (2FA) mandatory for all the tools accessed by its teams, the executive stated.

Juspay official site shows that it has a team of over 150 people that reach 50 million users daily. Its products are claimed to process over four million daily transactions and its system development kits (SDKs) are available on over 100 million devices.