The company that processes payments for Amazon and Swiggy has reported a data leak of over 100 million debit and credit cardholders.

Representative image

January 2021 – In a serious case of data breach, information of over 100 million debit and credit card users from payments processor Juspay has leaked on the dark web. Juspay processes payments for companies like Amazon, Swiggy, MakeMyTrip among others. The leaked data is in the form of a data dump and has been leaked through a compromised server of Juspay. Juspay has confirmed the data leak in its official blog post, outlining the details of the breach.

“It pains us to inform you that a data breach did happen on 18th August 2020. Non-sensitive masked card information, mobile numbers and email ids of a subset of our users were compromised,” the company said. Cybersecurity researcher Rajshekhar Rajaharia discovered the data breach. He found that the data dump was available for sale on the dark web.

As per Juspay, the leaked information includes non-sensitive masked card information, mobile numbers and email IDs of a subset of users. The company has said that the leaked information does not include full card numbers, order information, card PIN or password. The data on the dark web includes information such as the bank that has issued the card, card expiry date, the last four digits of the card, masked card number, card type and the user’s name, among other details.

According to Rajaharia, there could be a major risk to users if the algorithm used to hash card numbers is leaked or if the hackers figure it out on their own.

A hash is a unique and fixed-length string that is mapped to a set of data. In this case, Juspay has hashed the 16-digit debit and credit card numbers in order to process transactions. If hackers can figure out the algorithm used to generate these hashes, they could use brute force and find out what the original card numbers are. Juspay has masked only six digits out of sixteen-digit card numbers. Rajaharia says that while this is good, the safety of users rests primarily on the hashing algorithm.