Juspay the company that processes payments for Amazon and Swiggy has reported that data leak of over 100 million debit and credit card users on the dark web. The leaked data is in the form of a data dump and has been leaked through a compromised server of Juspay. Juspay has confirmed the data leak in its official blog post, outlining the details of the breach. The breach resulted in about 3.5 crore records with masked card numbers and personal data getting compromised.
“It pains us to inform you that a data breach did happen on 18th August 2020. Non-sensitive masked card information, mobile numbers and email ids of a subset of our users were compromised,” the company said.
Cybersecurity researcher Rajshekhar Rajaharia discovered the data breach. He found that the data dump was available for sale on the dark web.
The researcher further noted that this data breach could be a lot more serious if the hackers figure out the encryption algorithm used to hash card numbers.
Here’s what was leaked in the Juspay Data Breach
As per Juspay, the leaked information includes non-sensitive masked card information, mobile numbers and email IDs of a subset of users. The company has said that the leaked information does not include full card numbers, order information, card PIN or password.
The data on the dark web includes information such as the bank that has issued the card, card expiry date, the last four digits of the card, masked card number, card type and the user’s name, among other details.
What is a worrying factor?
The researcher pointed out that there could be a major risk to users if the algorithm used to hash card numbers is leaked or if the hackers figure it out on their own.
A hash is a unique and fixed-length string that is mapped to a set of data. In this case, Juspay has hashed the 16-digit debit and credit card numbers in order to process transactions.
If hackers can figure out the algorithm used to generate these hashes, they could use brute force and find out what the original card numbers are.
Juspay has masked only six digits out of sixteen-digit card numbers. Rajaharia says that while this is good, the safety of users rests primarily on the hashing algorithm.
Data Leak is lucreative for Scammers:
The data leak includes mobile numbers, they could call unsuspecting cardholders and trick them into revealing the full card numbers, PIN, CVV as well as one-time passwords.
The users are paying customers, they are a lot more valuable than non-paying customers. This makes the Juspay data leak a lot more lucrative for hackers and scammers and further this data can be leaked in the dark web.
According to the researcher, the seller he is in touch with has demanded $8,000 in Bitcoin to purchase the data.
(Image Courtesy: www.sm.mashable.com)