[BreachExchange] Juspay data breach 35 million customers’ card data sold on dark web
Destry Winant
destry at riskbasedsecurity.com
Tue Jan 12 10:38:20 EST 2021
https://www.hackread.com/juspay-data-breach-card-data-sold-dark-web/
The Indian startup Juspay handles payments for online marketplaces,
including Amazon.
Juspay suffered a data breach around five months back, and now the
investigation has revealed that around 35 million (3.5 crores) Juspay
customers have been affected.
It is worth noting that Juspay is among the list of 26 companies that
were reported by Hackread.com on January 2nd to have suffered a data
breach. Currently, a hacker is selling 365 million user records and
that also includes Juspay.
Juspay Data Dumped Online
The information stolen at the time is being sold on the dark web.
According to security researcher Rajshkhar Rajaharia, sensitive data
of around 35 million credit cardholders in India was compromised in
the breach.
The researcher took to Twitter to reveal details of the data breach.
Rajaharia stated that the compromised data include the name, bank
name, and mobile number of the customers whose payment data was stored
by the company.
He also shared a screenshot of some of the dumped data.
Juspay Data Breach
Juspay identified unauthorized activity on August 18, 2020. The
company was alerted in the early hours of the morning. According to
the official statement released by Juspay, the unusual activity was
noticed in one of its data stores.
Investigation revealed that threat actors used an unrecycled, old
Amazon Web Services access key to access the server. This triggered an
automatic system alert because of a sudden boost in the data store’s
system resources. The company immediately stopped the intrusion by
terminating the server and sealing its entry points. The same day they
conducted a system audit.
“Within the same day, a system audit was done to make sure the entire
category of such issues is prevented. Our merchants were informed of
the cyberattack on the same day and we worked with them to take
various precautionary measures to safeguard information,” the company
stated.
The company refreshed the API keys and invalidated the old keys. Other
mitigation measures included enforcing 2FA authentication for all
tools, adding threat-monitoring
Too Little Too Late
Juspay has employed a delaying approach, and the company is
continuously trying to downplay the incident. The time lag between the
breach and its public disclosure is certainly problematic to the
cybersecurity fraternity.
Juspay, although informed its partners it didn’t reveal details of the
breach to the public until Rajaharia discovered the data dump.
Gurucul’s CEO Saryu Nayyar stated that there could be many gaps in
Juspay’s security stack.
“Perhaps the biggest concern is the dwell time. The breach happening
mid-August 2020 and only being reported now, indicates there may have
been some gaps in Juspay’s security stack or their security operations
process.”
Juspay has stated in its statement that the attackers didn’t access
sensitive data and breached 35 million records that contained
non-sensitive information such as “masked card data and card
fingerprint.”
“The masked card data is used for display purposes on merchant UI and
cannot be used for completing a transaction.”
Juspay acknowledged that some of the compromised records contained
plaint-text, non-anonymized email, and contact numbers. It also had
anonymous metadata of around 100 million processed transactions. Its
subset contained mobile and email information.
“All of the customers’ full card numbers, order information, card
PINs, or passwords are secure. The compromised data does not contain
any transaction or order information. About 3.5 crore records with
masked card data and card fingerprint (which is non-sensitive
information) were breached… A part of user metadata in our system
which has non-anonymized, plain-text email IDs and phone numbers got
compromised.”
About Juspay?
Juspay is a Bengaluru-based startup in India that handles payments of
numerous digital marketplaces such as Amazon, Yatra, Swiggy,
Freecharge, MakeMyTrip, BookMyShow, and Snapdeal. The company offers
payment transaction services to leading online retailers in India,
managing over 650,000 upwards per day.
More information about the BreachExchange
mailing list