Over 100 million payment card numbers leaked; one of the biggest data breaches ever detected

Cybersecurity specialists report that over 100 million cardholders’ registers were leaked in what seems to be the biggest data breach ever detected in India. The leak seems related to a compromised server in Bengaluru-based mobile payment platform Juspay.

The report includes some screenshots of the compromised database, which reveal that the incident involves users’ confidential information such as:

  • Payment card brand
  • Card type
  • Expiration dates
  • Cards’ last four digits
  • Cards fingerprints
  • Customer IDs

A sample of compromised records is shown below:

Besides, experts mentioned that there is a data subset showing users’ phone numbers and email addresses. While the cards’ data is not completely visible, multiple hacking just need little details to deploy a sophisticated phishing campaign targeting those affected. Considering the amount of leaked registers, the scope of a potential attack could be devastating.

To make matters worse, researcher Rajshekhar Rajaharia assures that the complete database is being sold in several dark web forums for an undisclosed but supposedly high amount. The expert also mentioned that Juspay has been relying on the Payment Card Indistry Data Security Standard (PCI DSS) to store its users’ information. Nonetheless, he believes that if a threat actor is able to find the algorithm to generate a single card fingerprint, they could decrypt the hidden card number.

In response to these reports, a Juspay spokesperson mentioned: “On August 18, 2020, an unauthorized party tried to access to our servers; this intrusion was quickly detected and terminated. No card numbers, financial details or transaction history was compromised”. The spokesperson did acknowledge that some registers in plain text, including email addresses and phone numbers were exposed.

On the attack perpetrators, the spokesperson linked this incident to the well-known hacking group ShinyHunters, which may had gained access to one of Juspay developers’ credentials. The company added that the compromise of hidden card numbers is not considered a sensitive information leakage. Finally, the Juspay spokesperson mentioned that the commercial partners of the payment platform were immediately notified about the incident, so these companies had enough time to improve their security mechanisms to prevent any malicious behavior.

The incident continues to be investigated, as no evidence of malicious use of the compromised information has yet been detected.