More than 100 million credit and debit cardholders’ sensitive data leaked on a dark web, a security researcher said. The data includes the full names, phone numbers and email addresses of the cardholders as well as the first and last four digits of their cards. It seems to be associated with Jaspe, a payment platform that processes transactions for Indian and global merchants, including Amazon, MakeMyTrip and Swiggy. The Bangalore-based startup has admitted that some of its user data was compromised in August.
Data appeared The Dark Web Related to online transactions, at least between March 2017 and August 2020, the files shared with Gadgets 360 indicate. It contains the first and last four digits of the card with the personal details of many Indian cardholders as well as their card expiration dates, customer IDs and mask card numbers. However, specific transaction or order details are not a part of the leak.
Scammers can combine the above details with the contact information available at the dump to execute phishing attacks on affected card holders.
Cyber security researcher Rajsekhar Rajharia discovered the data dump earlier this week. He told Gadgets360 that the leaked data was for sale on the Dark Web by a hacker.
“The hacker is contacting buyers in a telegram and asking for payments Bitcoin, ”Said Rajahari.
He told Gadgets360 that it was selling on the Dark Web under the name Data Dump Juspe And he was able to find its relationship with the company with some consideration. The company confirmed a data breach to Gadgets 360, although it did not provide further details.
To verify affiliation with Zuspe, he compared the data fields found in the MySQL dump samples files received from the hacker with the Zaspe API document file. “Both are exactly the same,” he said.
Without giving any specifics about the latest data leak, Jaspe founder Vimal Kumar told Gadgets 360 on August 18 that an “unauthorized attempt was found” which was stopped while it was in progress.
“Card numbers, financial credentials or transaction data are not compromised,” Kumar said in an email. “Anonymous email, phone numbers and data records containing masked cards used for display purposes (consisting of the first four and last four digits of the card, which are not considered sensitive), have been compromised.”
Kumar said email and mobile information was “a small part of the 10 crore records” and most of the information was anonymous on the servers. He said 10 crore records were not card details, but customer metadata and there was a subset of users’ email and mobile information.
Leaked mask card data (non-sensitive data not used for display) contains two million records. Our card vault is on a different PCI compliant system and has never been accessed, ”he said.
Rajahria alleged that the card numbers could be decrypted if the hacker detected the algorithm used for the card fingerprints, despite being masked. However, Kumar disagreed with the researcher.
“We do hundreds of rounds of hashing with multiple algorithms and even salt (another number added to the card number). The algorithms we use cannot currently reverse the engineer given enough compute resources,” he said.
Jaspe received some data samples from his cyber security partner Cyble A few days ago it was still being evaluated. Kumar told Gadgets 360 on the same day that Jaspee noticed unauthorized access to its servers to its trading partners.
The company also identified security gaps in some of the older access keys used by developers and mandated two-factor authentication (2FA) for all devices accessed by its teams, the executive said.
However, Rajharia said there was still not much noise on the security side of Jaspe. He told Gadgets360 that he had noticed a configuration issue on a company site that was redirecting to malicious websites.
“The old unused domain (used for the beta test product) refers to the AWS Internet Protocol (IP), which was retrieved by another AWS user whose server contains this content,” Kumar said.
Details are available on the Jaspe site Show It has a team of over 150 people who reach 50 million customers per day. Its products are said to process over four million transactions daily and its system development kits (SDKs) are available on over 100 million devices. Companies including Amazon, Airtel, Flipkart, Vi (Vodafone Idea), Swiggy, And Uber Are among its main clients who initiate payments for their customers.
Established in 2012, the Jaspe Payment Card Industry Data Security Standard (PCI DSS) compliance level is 1, the highest level of compliance granted by PCI Security Standards Council to payment merchants.
Last month, Rajahria discovered personal data Seven million Indian credit and debit cardholders Survived through the dark web. Sensitive data of More than 1.3 million Indian banking customers Also appeared on the Dark Web in 2019.
Experts believe that data leaks are becoming more prevalent in India without proper regulations on cyber security despite the country expanding its digital infrastructure. Companies operating in the country do not have to strictly protect their user data due to the lack of privacy protection law.
What is the most exciting tech launch of 2021? We discussed this Orbit, Our weekly technology podcast, you can subscribe to Apple Podcasts, Google Podcasts, Or RSS, Download the episode, Or press the Play button below.