- India-based startup Juspay suffered from a data breach in August 2020
- Personal data of over 10 crore Juspay users were on sale on the Dark Web
- Juspay has acknowledged the breach and has implemented new security measures to prevent such an occurrence
Cybersecurity researcher Rajshekhar Rajaharia discovered a glaring security hole in popular payment aggregator Juspay, which processes payments for a laundry list of companies such as Amazon, Swiggy, MakeMyTrip, Flipkart, Airtel, and Uber. Over 10 crore Indian debit and credit cardholders had their card expiry dates, customer IDs, and masked card numbers with the first and last four digits leaked. The Juspay data breach came to light with the researcher found the aforementioned information for sale on the Dark Web. The researcher confirmed the legitimacy of the leak by comparing MySQL data samples obtained from Juspay and the hacker and found them to be identical. Juspay has also officially acknowledged that a data breach had occurred on their systems on August 18th and was promptly thwarted.
Juspay founder Vimal Kumar told Gadgets 360, “No card numbers, financial credentials, or transaction data was compromised. Data records containing non-anonymised email, phone numbers, and masked cards used for display purposes were compromised.” He added that only a ‘small fraction’ of the total 10 crore users affected have had their mobile numbers and email IDs hacked.
Despite Juspay’s assurances that its systems are safe, the researcher found several glaring holes in its security. The company’s website is still allegedly redirecting users to unscrupulous webpages due to an old domain used for beta testing now being owned by another user. Juspay says that it has ramped up security measures by making 2FA (two-factor authentication) mandatory for all of its developers.
Juspay says that it has ramped up security measures by making 2FA (two-factor authentication) mandatory for all of its developers
Juspay is yet to contact the users affected by the said breach, and one can only hope that it does so soon. In the meanwhile, you can check if your personal information has been leaked online via services like HaveIBeenPwned. It is also important to use 2FA and a password manager wherever possible as it significantly reduces the chances of hackers using your personal information to gain access to your email, social media, etc.