In what may be huge data theft, details from over 100 million debit and credit card customers from the Juspay payment processor have leaked to the dark web. Juspay handles fees for businesses like Amazon, Swiggy, MakeMyTrip and others.
The leaked data is in the form of a data dump which has been leaked from a hacked Juspay site. Juspay acknowledged the leak in its official blog post, detailing the specifics of the violation.
“It is difficult for us to notify you that a breach of data occurred on 18 August 2020. Non-sensitive masked card records, mobile numbers and email IDs of a subset of our users have been compromised,” the company said.
Cybersecurity researcher Rajshekhar Rajaharia discovered a leak of records. He discovered that the data dump was usable on the dark web for sale.
Speaking to Business Insider, Rajaharia noted that this data leak could be much more serious if hackers were to find out the encryption algorithm used to crack card numbers.
Here’s what was leaked in the breach of the Juspay data
As per Juspay, the leaked information contains non-sensitive masked card information, mobile numbers, and subset of users’ email IDs. The company confirmed that the information leaked does not contain full card numbers, order information, PIN card or password.
The dark network data contains information such as the bank that issued the card, the card expiry date, the last four digits of the card, the masked card number, the card type and the name of the customer, among other information.
Will you be concerned about that?
Rajaharia points out that there might be a big danger to consumers if the algorithm used for hash card numbers were leaked or if the hackers would work it out on their own.
A hash is a special, fixed-length string mapping to a data set. In this case, Juspay has hacked 16-digit debit and credit card numbers to handle transactions.
If hackers would work out the algorithm used to create these hashes, they could use brute force to find out what the initial card numbers are.
Juspay masked just six digits out of sixteen digit card numbers. Rajaharia says that while this is fine, the protection of users is largely dependent on the hashing algorithm.
Scammers may also take advantage of this data leak
In addition to the threats listed above, Rajaharia also pointed out that scammers might use this data leak to dupe cardholders. As the leak involves mobile numbers, they could call unsuspecting cardholders and trick them into exposing full card numbers, PIN, CVV, and one-time passwords.
Rajaharia also found out that because these consumers are paid clients, they are much more beneficial than non-paying customers. This makes the Juspay data leak even more lucrative for hackers and scammers.
According to him, the seller he’s in contact with has asked Bitcoin for $8,000 to purchase the data.