Juspay, an India-based company which offers payment processing services for companies like Amazon and Swiggy, has acknowledged a massive data breach affecting up to 30.5 million users, whose masked card numbers and personal data were exposed.
Information security researcher Rajshekhar Rajaharia first reported the incident through his Twitter account, stating that the compromised data is available for sale on the dark web: “This database ad was posted by an unknown hacker making business through Telegram channels”, he mentioned.
According to Juspay, the incident dates back to August 18, 2020, when the company detected suspicious activity on its storing systems: “Threat actors abused an old Amazon Web Services (AWS) key to gain unauthorized access. We trigger an automated security alert after a sudden system resources usage”. Juspay security teams tracked the intrusion and terminated the illegitimate access.
Even though the company admits that over 30 million registers were leaked, they point out that the exposed financial data was masked: “The affected cards were used just for display purposes and they cannot be used for performing fraudulent transactions”, Juspay says.
When asked about its disclosure delay, a Juspay spokesperson mentioned: “Our priority was to notify our commercial partners and, as a security mechanisms, issuing new API keys to prevent further damage”. Juspay also mentioned that all its clients were safe during the incident.
On the other hand, Rajaharia mentions that the affected masked cards only show six digits. Nonetheless, each card includes a fingerprint (a hashed credit card number); this could allow malicious hackers to decrypt the numbers of any compromised card. The expert says that threat actors demand $8,000 USD in Bitcoin in exchange for access to the database.
This is another example of the importance of implementing two factor authentication (2FA) methods in payment platforms. India has determined that payments are a 2FA subject, but the international use of these cards has no such protection mechanism, and hackers know it.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.
