Justdial leaks personal data of 100 million users… Again

A recent report states that Justdial, one of the largest service companies in India, has suffered a data breach that led to the exposure of confidential records of more than 100 million users. According to researcher Rajshekhar Rajaharia, the information remained exposed since March 2020.

Starting as a local phone-based directory, Justdial offers bill services, top-ups, grocery delivery, reservation system management, taxis, airline tickets and other services.

The leak consists of records of users’ personal information, including usernames, email addresses, phone numbers and dates of birth. This incident appears to be related to a flaw detected in 2019 by Justdial’s teams and which was apparently not properly addressed.

As in other similar incidents, the detection of the unprotected database does not mean that the threat actors have accessed the exposed information; however, it does imply the risk that this information will eventually be used to deploy massive phishing campaigns. The company has not issued any statements on the matter, although it has already received multiple requests for information.

Justdial is not the only company operating in India that has been the victim of similar incidents recently. Last May, pizza chain Domino’s India suffered a massive leak of information; the compromised data was eventually put up for sale on a dark web forum.

At the time, threat actors claimed to have extracted nearly 13 TB of confidential information held by Domino’s India. These confidential records included names, email addresses, phone numbers and location details.

Another major data breach this year impacted MobiKwik’s systems, which denied claims about a data breach that impacted 100 million users. It is mentioned that this information would be for sale on the dark web, although so far nothing has been confirmed about it.

For further reports on vulnerabilities, exploits, malware variants, cybersecurity risks and information security courses fell free to visit the International Institute of Cyber Security (IICS) websites, as well as the official platforms of technology companies.