Juspay data breach 35 million customers’ card data sold on dark web

The Indian startup Juspay handles payments for online marketplaces, including Amazon.
Juspay data breach 35 million customers' card data sold on dark web

The Indian startup Juspay handles payments for online marketplaces, including Amazon.

Juspay suffered a data breach around five months back, and now the investigation has revealed that around 35 million (3.5 crores) Juspay customers have been affected.

It is worth noting that Juspay is among the list of 26 companies that were reported by Hackread.com on January 2nd to have suffered a data breach. Currently, a hacker is selling 365 million user records and that also includes Juspay. 

Hacker selling 368m users records stolen from 26 companies
List of the allegedly breached website along with sample data offered by the hacker (Image: Hackread)

Juspay Data Dumped Online

The information stolen at the time is being sold on the dark web. According to security researcher Rajshkhar Rajaharia, sensitive data of around 35 million credit cardholders in India was compromised in the breach.

The researcher took to Twitter to reveal details of the data breach. Rajaharia stated that the compromised data include the name, bank name, and mobile number of the customers whose payment data was stored by the company.

He also shared a screenshot of some of the dumped data.

35 Million Credit Card Users impacted in Juspay Data Breach

Juspay Data Breach

Juspay identified unauthorized activity on August 18, 2020. The company was alerted in the early hours of the morning. According to the official statement released by Juspay, the unusual activity was noticed in one of its data stores.

Investigation revealed that threat actors used an unrecycled, old Amazon Web Services access key to access the server. This triggered an automatic system alert because of a sudden boost in the data store’s system resources. The company immediately stopped the intrusion by terminating the server and sealing its entry points. The same day they conducted a system audit.

 “Within the same day, a system audit was done to make sure the entire category of such issues is prevented. Our merchants were informed of the cyberattack on the same day and we worked with them to take various precautionary measures to safeguard information,” the company stated.

The company refreshed the API keys and invalidated the old keys. Other mitigation measures included enforcing 2FA authentication for all tools, adding threat-monitoring 

Too Little Too Late

Juspay has employed a delaying approach, and the company is continuously trying to downplay the incident. The time lag between the breach and its public disclosure is certainly problematic to the cybersecurity fraternity.

Juspay, although informed its partners it didn’t reveal details of the breach to the public until Rajaharia discovered the data dump. Gurucul’s CEO Saryu Nayyar stated that there could be many gaps in Juspay’s security stack.

 “Perhaps the biggest concern is the dwell time. The breach happening mid-August 2020 and only being reported now, indicates there may have been some gaps in Juspay’s security stack or their security operations process.”

Juspay has stated in its statement that the attackers didn’t access sensitive data and breached 35 million records that contained non-sensitive information such as “masked card data and card fingerprint.”

 “The masked card data is used for display purposes on merchant UI and cannot be used for completing a transaction.”

Juspay acknowledged that some of the compromised records contained plaint-text, non-anonymized email, and contact numbers. It also had anonymous metadata of around 100 million processed transactions. Its subset contained mobile and email information. 

“All of the customers’ full card numbers, order information, card PINs, or passwords are secure. The compromised data does not contain any transaction or order information. About 3.5 crore records with masked card data and card fingerprint (which is non-sensitive information) were breached… A part of user metadata in our system which has non-anonymized, plain-text email IDs and phone numbers got compromised.”

About Juspay?

Juspay is a Bengaluru-based startup in India that handles payments of numerous digital marketplaces such as Amazon, Yatra, Swiggy, Freecharge, MakeMyTrip, BookMyShow, and Snapdeal. The company offers payment transaction services to leading online retailers in India, managing over 650,000 upwards per day.

Did you enjoy reading this article? Don’t forget to like our page on Facebook and follow us on Twitter

Related Posts