Juspay, India-based payment processing platform, discloses massive data breach

Juspay, an India-based company which offers payment processing services for companies like Amazon and Swiggy, has acknowledged a massive data breach affecting up to 30.5 million users, whose masked card numbers and personal data were exposed.   

Information security researcher Rajshekhar Rajaharia first reported the incident through his Twitter account, stating that the compromised data is available for sale on the dark web: “This database ad was posted by an unknown hacker making business through Telegram channels”, he mentioned. 

According to Juspay, the incident dates back to August 18, 2020, when the company detected suspicious activity on its storing systems: “Threat actors abused an old Amazon Web Services (AWS) key to gain unauthorized access. We trigger an automated security alert after a sudden system resources usage”. Juspay security teams tracked the intrusion and terminated the illegitimate access.

Even though the company admits that over 30 million registers were leaked, they point out that the exposed financial data was masked: “The affected cards were used just for display purposes and they cannot be used for performing fraudulent transactions”, Juspay says.    

When asked about its disclosure delay, a Juspay spokesperson mentioned: “Our priority was to notify our commercial partners and, as a security mechanisms, issuing new API keys to prevent further damage”. Juspay also mentioned that all its clients were safe during the incident. 

On the other hand, Rajaharia mentions that the affected masked cards only show six digits. Nonetheless, each card includes a fingerprint (a hashed credit card number); this could allow malicious hackers to decrypt the numbers of any compromised card. The expert says that threat actors demand $8,000 USD in Bitcoin in exchange for access to the database. 

This is another example of the importance of implementing two factor authentication (2FA) methods in payment platforms. India has determined that payments are a 2FA subject, but the international use of these cards has no such protection mechanism, and hackers know it.