Juspay server leaked data dumping that on the Dark Web

According to Rajshekhar Rajaharia, an independent cybersecurity researcher, data of nearly 10 crore credit and debit card holders in the country is being sold for an undisclosed amount on the Dark Web. The massive data dump on the Dark Web has been leaked from a compromised server of Bengaluru-based digital payments gateway Juspay.

JusPay said that no card numbers or financial information were compromised during the cyber-attack and the actual number is much lower than the 10 crore-figure being reported.

Rajaharia claimed that the data was being sold on the Dark Web for an undisclosed amount via cryptocurrency Bitcoin.

According to him, PCI DSS (Payment Card Industry Data Security Standard) have been followed by Juspay in storing users' card information.

"However, if the hackers can find out the Hash algorithm used to generate the card fingerprint, they will be able to decrypt the masked card number. In this condition, all 10 crore cardholders are at risk," Rajaharia noted.

The company admitted that the hacker gained access to one of Juspay's developer keys and was spawning new computation servers in the developer account, trying to gain access to any accessible data.

Juspay said the masked card numbers that have been leaked are not considered sensitive as per compliance. Only "few" phone numbers and email addresses have been leaked which have dummy values that it had intimated its merchant partners about the data leak the very same day.

"No card numbers (like 16-digit card number and other financial credentials) were accessed, as it is stored in a completely different isolated system. No transaction or order information was compromised. We are making long-term investments for strengthening security and data governance with industry experts," the company said.

The round was led by Sweden's Vostok Emerging Finance (VEF), which invested $13 million in the technology firm, marking its first investment in the country.