The company that processes payments for Amazon and Swiggy has reported a data leak of over 100 million debit and credit cardholders

• Information of over 100 million debit and credit card users has been leaked online from payments processor Juspay.
• The leak includes the user’s names, contact information and information related to their debit and credit cards.
• Juspay processes payments for companies like Amazon, Swiggy, MakeMyTrip and several other companies.
• Cybersecurity researcher Rajshekhar Rajaharia who first spotted the breach has said that it could become a lot more serious if hackers figure out the encryption algorithm.

In what could be a major data breach, information of over 100 million debit and credit card users from payments processor Juspay has leaked on the dark web. Juspay processes payments for companies like Amazon, Swiggy, MakeMyTrip among others.

The leaked data is in the form of a data dump and has been leaked through a compromised server of Juspay. Juspay has confirmed the data leak in its official blog post, outlining the details of the breach.

“It pains us to inform you that a data breach did happen on 18th August 2020. Non-sensitive masked card information, mobile numbers and email ids of a subset of our users were compromised,” the company said.

Cybersecurity researcher Rajshekhar Rajaharia discovered the data breach. He found that the data dump was available for sale on the dark web.

Speaking to Business Insider, Rajaharia noted that this data breach could be a lot more serious if the hackers figure out the encryption algorithm used to hash card numbers.

Here’s what was leaked in the Juspay data breach

As per Juspay, the leaked information includes non-sensitive masked card information, mobile numbers and email IDs of a subset of users. The company has said that the leaked information does not include full card numbers, order information, card PIN or password.

The data on the dark web includes information such as the bank that has issued the card, card expiry date, the last four digits of the card, masked card number, card type and the user’s name, among other details.

Should you be worried?

Rajaharia pointed out that there could be a major risk to users if the algorithm used to hash card numbers is leaked or if the hackers figure it out on their own.

A hash is a unique and fixed-length string that is mapped to a set of data. In this case, Juspay has hashed the 16-digit debit and credit card numbers in order to process transactions.

If hackers can figure out the algorithm used to generate these hashes, they could use brute force and find out what the original card numbers are.

Juspay has masked only six digits out of sixteen-digit card numbers. Rajaharia says that while this is good, the safety of users rests primarily on the hashing algorithm.

Scammers could also exploit this data leak

In addition to the risks mentioned above, Rajaharia also pointed out that scammers could exploit this data leak to dupe cardholders. Since the leak includes mobile numbers, they could call unsuspecting cardholders and trick them into revealing the full card numbers, PIN, CVV as well as one-time passwords.

Rajaharia also pointed out that since these users are paying customers, they are a lot more valuable than non-paying customers. This makes the Juspay data leak a lot more lucrative for hackers and scammers.

According to him, the seller he is in touch with has demanded $8,000 in Bitcoin to purchase the data.

SEE ALSO:

From FireEye to Twitter to Covid-19 vaccine research ⁠— these were the biggest cyber attacks of 2020

Hackers are sending customers fake shipping messages appearing to come from Amazon and UPS as a 'shipageddon' is expected during a hectic shopping season