mins read

Juspay Databases Containing 10 Crore Users’ Data for Sale on Data Sharing Platform

Juspay Databases Containing 10 Crore Users’ Data for Sale on Data Sharing Platform

January 6, 2021
Green Alert
Last Update posted on
February 3, 2024
Secure your organization's sensitive information from data breach.

Protect your sensitive information from unauthorized access and data breaches with CloudSEK XVigil Credential Breaches module, ensuring the security of your valuable data

Schedule a Demo
Table of Contents
Author(s)
No items found.

 

Category
Adversary Intelligence – Data Leak
Impacted Assets
Customer Records
CloudSEK Verified
Yes
Leaked Data
Customer PII (name, phone number, email address), masked Credit Card data (first 4 and last 4 digits of the 16 digit card number)

 

The Threat

Inc42 published a report regarding Juspay data being leaked on the dark web. The report claims that the data dump contains PII (Personally Identifiable Information) and card data of 10 Crore users. CloudSEK has done a detailed analysis of this incident and the key findings are summarized below.

Overview
  • Juspay had a security breach in August 2020 when a group of hackers hacked into their Payment MetaData servers and downloaded a few databases. 
  • Juspay did not disclose this incident to authorities – rather concealed the breach. 
  • In January 2021, Inc42 reported that Juspay was beached and its customers’ PII information was leaked on the dark web. 
  • The databases contain 16 fields including masked card data and PII (email address, first and last name, mobile numbers), among other sensitive information. 
Impact
  • The leaked data does not contain full card data – it mainly exposes users’ PII along with masked card data.
  • There is no direct impact on other banks as the card numbers are masked, i.e. only the first 4 and last 4 numbers are visible.
  • It is impossible to reverse engineer or brute force card numbers because card issuers (Visa, MasterCard, Rupay) block an invalid card after 100 failed attempts. 
  • The PII can be used to carry out social engineering attacks on the affected users.
  • The direct impact of this leak is negligible for banks and other organizations as full card data was not compromised and the chances of retrieving full data from partial data is impossible. 
Advice to Security Teams
  • We will see increased targeted phishing attacks on card users in the coming months. 
  • In case of a successful phishing attack – banks are advised to keep a close watch on credit cards that have been through JusPay gateway using internal fraud monitoring technologies. 

 

Detailed Technical Analysis

CloudSEK’s flagship digital risk monitoring platform XVigil discovered a post on a data sharing platform, selling user databases of multiple companies. Our Threat Intelligence researchers did a detailed analysis on the same. The companies affected are:

Juspay.in   Teespring.com 
MyON.com  Knockcrm.com 
Mindful.org Clickindia.com 
Chqbook.com   Bigbasket.com 
Reddoorz.com    Hybris.com (SAP.com) 
Wedmegood.com  Wongnai.com
Geekie.com.br    Anyvan.com
Accuradio.com Everything5pounds.com 
Cermati.com Netlog.com (Twoo.com) 
Reverbnation.com Fotolog.com 
Pizap.com ModaOperandi.com 
Eventials.com Wahoofitness.com 
Sitepoint.com Singlesnet.com

 

Impacted Assets

The most recent post contains a sample of the Juspay database though the data has not been validated. Here are some sample screenshots from the leak:

Schema 1

 

Schema1

 

The “stored_card” database contains the following fields:

  •   id varchar
  •   version bigint
  •   card_brand
  •   card_exp_month
  •   card_exp_year
  •   card_fingerprint
  •   card_isin
  •   card_issuer
  •   card_last_four_digits
  •   card_reference
  •   card_token
  •   card_token_of_vault_provider
  •   card_type
  •   customer_id
  •   date_created
  •   last_updated
  •   masked_card_number
  •   merchant_account_id
  •   name_on_card
  •   nickname
  •   vault_provider
  •   card_global_fingerprint
Schema 2

 

Schema2

 

The “customer” database contains the following fields:

  •   id
  •   version
  •   date_created
  •   email_address
  •   first_name
  •   last_name
  •   last_updated
  •   merchant_account_id
  •   mobile_country_code
  •   mobile_number
  •   object_reference_id

 

Threat Actor

The threat actor joined the forum in December 2020. And since then, the threat actor has shared 2 posts, attempting to sell databases from their private collection. 

One of the posts advertises multiple databases while the other post is selling the Gympass database.

Author

Predict Cyber threats against your organization

Related Posts
Blog Image
May 29, 2024

Your Brand Guardians: A Deep Dive into CloudSEK's Takedown Services

Discover how CloudSEK's comprehensive takedown services protect your brand from online threats.

Blog Image
May 19, 2020

How to bypass CAPTCHAs easily using Python and other methods

How to bypass CAPTCHAs easily using Python and other methods

Blog Image
June 3, 2020

What is shadow IT and how do you manage shadow IT risks associated with remote work?

What is shadow IT and how do you manage shadow IT risks associated with remote work?

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

Engineering

min read

Juspay Databases Containing 10 Crore Users’ Data for Sale on Data Sharing Platform

Juspay Databases Containing 10 Crore Users’ Data for Sale on Data Sharing Platform

Authors
Co-Authors
No items found.

 

Category
Adversary Intelligence – Data Leak
Impacted Assets
Customer Records
CloudSEK Verified
Yes
Leaked Data
Customer PII (name, phone number, email address), masked Credit Card data (first 4 and last 4 digits of the 16 digit card number)

 

The Threat

Inc42 published a report regarding Juspay data being leaked on the dark web. The report claims that the data dump contains PII (Personally Identifiable Information) and card data of 10 Crore users. CloudSEK has done a detailed analysis of this incident and the key findings are summarized below.

Overview
  • Juspay had a security breach in August 2020 when a group of hackers hacked into their Payment MetaData servers and downloaded a few databases. 
  • Juspay did not disclose this incident to authorities – rather concealed the breach. 
  • In January 2021, Inc42 reported that Juspay was beached and its customers’ PII information was leaked on the dark web. 
  • The databases contain 16 fields including masked card data and PII (email address, first and last name, mobile numbers), among other sensitive information. 
Impact
  • The leaked data does not contain full card data – it mainly exposes users’ PII along with masked card data.
  • There is no direct impact on other banks as the card numbers are masked, i.e. only the first 4 and last 4 numbers are visible.
  • It is impossible to reverse engineer or brute force card numbers because card issuers (Visa, MasterCard, Rupay) block an invalid card after 100 failed attempts. 
  • The PII can be used to carry out social engineering attacks on the affected users.
  • The direct impact of this leak is negligible for banks and other organizations as full card data was not compromised and the chances of retrieving full data from partial data is impossible. 
Advice to Security Teams
  • We will see increased targeted phishing attacks on card users in the coming months. 
  • In case of a successful phishing attack – banks are advised to keep a close watch on credit cards that have been through JusPay gateway using internal fraud monitoring technologies. 

 

Detailed Technical Analysis

CloudSEK’s flagship digital risk monitoring platform XVigil discovered a post on a data sharing platform, selling user databases of multiple companies. Our Threat Intelligence researchers did a detailed analysis on the same. The companies affected are:

Juspay.in   Teespring.com 
MyON.com  Knockcrm.com 
Mindful.org Clickindia.com 
Chqbook.com   Bigbasket.com 
Reddoorz.com    Hybris.com (SAP.com) 
Wedmegood.com  Wongnai.com
Geekie.com.br    Anyvan.com
Accuradio.com Everything5pounds.com 
Cermati.com Netlog.com (Twoo.com) 
Reverbnation.com Fotolog.com 
Pizap.com ModaOperandi.com 
Eventials.com Wahoofitness.com 
Sitepoint.com Singlesnet.com

 

Impacted Assets

The most recent post contains a sample of the Juspay database though the data has not been validated. Here are some sample screenshots from the leak:

Schema 1

 

Schema1

 

The “stored_card” database contains the following fields:

  •   id varchar
  •   version bigint
  •   card_brand
  •   card_exp_month
  •   card_exp_year
  •   card_fingerprint
  •   card_isin
  •   card_issuer
  •   card_last_four_digits
  •   card_reference
  •   card_token
  •   card_token_of_vault_provider
  •   card_type
  •   customer_id
  •   date_created
  •   last_updated
  •   masked_card_number
  •   merchant_account_id
  •   name_on_card
  •   nickname
  •   vault_provider
  •   card_global_fingerprint
Schema 2

 

Schema2

 

The “customer” database contains the following fields:

  •   id
  •   version
  •   date_created
  •   email_address
  •   first_name
  •   last_name
  •   last_updated
  •   merchant_account_id
  •   mobile_country_code
  •   mobile_number
  •   object_reference_id

 

Threat Actor

The threat actor joined the forum in December 2020. And since then, the threat actor has shared 2 posts, attempting to sell databases from their private collection. 

One of the posts advertises multiple databases while the other post is selling the Gympass database.