Security researchers have found that in a breach of Juspay’s servers, sensitive data of over 100 million credit and debit card users have been leaked on the dark web. The leaked data reportedly includes full names, phone numbers, and email addresses of the cardholders, along with the first and last four digits of their cards. Just pay offers payment processing services for e-merchants like Amazon, MakeMyTrip, and Swiggy. Just pay has also acknowledged that the data of some of its users was compromised in August 2020.
It was found that the breach and data leak took place between March 2017 and August 2020. According to a report by Gadgets360, the data that was found on the dark web included “personal details of several Indian cardholders along with their card expiry dates, customer IDs, and masked card numbers with the first and last four digits of the cards fully visible.” Notably, though, transaction and order details were not part of the leaked data.
Even though it was found that the leaked information of Juspay users was masked in places to reveal only partial copies of card numbers, the breach still leaves users vulnerable to phishing scams, if not a financial scam per see.
Another report by Inc42 reveals that the leaked data on the dark web includes “user’s card brand (VISA/Mastercard), card expiry date, the last four digits of the card, the masked card number, the type of card (credit/debit), the name on the card, card fingerprint, card ISIN, customer ID, and merchant account ID, among several other details. In all, over 16 fields of data relating to their payment cards have been leaked for at least 2 crore users, as conceded by Juspay, a subset of the total number of user records (10 crores) that have been leaked.” Reportedly, another subset of data was leaked, including the phone numbers and email addresses of users.
The leaked data of users is being sold on the dark web for an undisclosed amount.
Just pay has acknowledged the breach, but it also assures that the leaked information was not “sensitive.”
“On 18 August 2020, an unauthorized attempt on our servers was detected and terminated when in progress. No card numbers, financial credentials, or transaction data were compromised. Some data records containing non-anonymized, plain-text email and phone numbers were compromised, which form a fraction of the 10 crore data records,” Juspay founder Vimal Kumar said. “The masked card data (which is not sensitive) has 2 Cr user records. Our card vault, in a different PCI-compliant system with encrypted card data, was never accessed,” he added.