The Indian startup Juspay handles payments for online marketplaces, including Amazon.
Juspay suffered a data breach around five months back, and now the investigation has revealed that around 35 million (3.5 crores) Juspay customers have been affected.
It is worth noting that Juspay is among the list of 26 companies that were reported by Hackread.com on January 2nd to have suffered a data breach. Currently, a hacker is selling 365 million user records and that also includes Juspay.
Juspay Data Dumped Online
The information stolen at the time is being sold on the dark web. According to security researcher Rajshkhar Rajaharia, sensitive data of around 35 million credit cardholders in India was compromised in the breach.
The researcher took to Twitter to reveal details of the data breach. Rajaharia stated that the compromised data include the name, bank name, and mobile number of the customers whose payment data was stored by the company.
He also shared a screenshot of some of the dumped data.
Juspay Data Breach
Juspay identified unauthorized activity on August 18, 2020. The company was alerted in the early hours of the morning. According to the official statement released by Juspay, the unusual activity was noticed in one of its data stores.
Investigation revealed that threat actors used an unrecycled, old Amazon Web Services access key to access the server. This triggered an automatic system alert because of a sudden boost in the data store’s system resources. The company immediately stopped the intrusion by terminating the server and sealing its entry points. The same day they conducted a system audit.
“Within the same day, a system audit was done to make sure the entire category of such issues is prevented. Our merchants were informed of the cyberattack on the same day and we worked with them to take various precautionary measures to safeguard information,” the company stated.
The company refreshed the API keys and invalidated the old keys. Other mitigation measures included enforcing 2FA authentication for all tools, adding threat-monitoring
Too Little Too Late
Juspay has employed a delaying approach, and the company is continuously trying to downplay the incident. The time lag between the breach and its public disclosure is certainly problematic to the cybersecurity fraternity.
Juspay, although informed its partners it didn’t reveal details of the breach to the public until Rajaharia discovered the data dump. Gurucul’s CEO Saryu Nayyar stated that there could be many gaps in Juspay’s security stack.
“Perhaps the biggest concern is the dwell time. The breach happening mid-August 2020 and only being reported now, indicates there may have been some gaps in Juspay’s security stack or their security operations process.”
Juspay has stated in its statement that the attackers didn’t access sensitive data and breached 35 million records that contained non-sensitive information such as “masked card data and card fingerprint.”
“The masked card data is used for display purposes on merchant UI and cannot be used for completing a transaction.”
Juspay acknowledged that some of the compromised records contained plaint-text, non-anonymized email, and contact numbers. It also had anonymous metadata of around 100 million processed transactions. Its subset contained mobile and email information.
Same hacker who was selling @JusPay DB now selling DBs of more Indian companies on Dark Web. @clickindia – 8Mn @chqbook – 1Mn @wedmegood – 1.3Mn. Same Hacker also selling @bigbasket_com too. May be a strong connection between all these recent data leaks. #InfoSec #DataLeak #GDPR pic.twitter.com/zs0mA7NjLR
— Rajshekhar Rajaharia (@rajaharia) January 6, 2021
“All of the customers’ full card numbers, order information, card PINs, or passwords are secure. The compromised data does not contain any transaction or order information. About 3.5 crore records with masked card data and card fingerprint (which is non-sensitive information) were breached… A part of user metadata in our system which has non-anonymized, plain-text email IDs and phone numbers got compromised.”
Juspay is a Bengaluru-based startup in India that handles payments of numerous digital marketplaces such as Amazon, Yatra, Swiggy, Freecharge, MakeMyTrip, BookMyShow, and Snapdeal. The company offers payment transaction services to leading online retailers in India, managing over 650,000 upwards per day.