Elizabeth Montalbano | Threatpost.com
Researcher discovered info of 35 million credit-card users from an attack on the Indian startup, which handles payments for numerous online marketplaces.
Data from a breach that occurred five months ago involving Juspay, which handles payments for Amazon and other online retailers in India, has been dumped online, a researcher has found.
Security researcher Rajshekhar Rajaharia discovered data of 35 million Indian credit-card holders from a breach of a Juspay server that occurred on Aug. 18, he revealed on Twitter. The data included sensitive information such as the name, mobile number and bank name of customers whose payment info went through the company’s service, Rajaharia said in the tweet, which included an edited screenshot of some of the data.
Juspay is a Bengaluru, India-based start-up that partners with leading online retailers to make payment transactions—upwards of 650,000 per day–in India. Merchants with payments going through the service include Amazon, Swiggy, MakeMyTrip, Yatra, Freecharge, BookMyShow and Snapdeal.
Juspay discovered the breach during the early morning-hours of Aug. 18, alerted by unauthorized activity in one of the data stores, according to a detailed statement on the company’s website posted Monday and updated Tuesday in response to reports of the incident. Threat actors used an old, unrecycled Amazon Web Services (AWS) access key to gain unauthorized access to the server, which triggered an automatic system alert due to the sudden boost in system resources by the data store, the company said.
Juspay responded immediately to the incident and stopped the intrusion, terminated the server used in the attack, and sealed its entry point, according to the statement.
“Within the same day, a system audit was done to make sure the entire category of such issues is prevented, the company said. “Our merchants were informed of the cyberattack on the same day and we worked with them to take various precautionary measures to safeguard information.”
Those mitigation steps included refreshing API keys and invalidating the old keys; enforcing 2 Factor Authentication for all of its tools; and moving away from AWS key-based automation, according to the statement. Juspay also has added threat-monitoring tools to its security profile to prevent further attacks.
While breaches and subsequent data dumps like this are commonplace these days, what’s worrying in this case is the time lag between the breach and Juspay’s public acknowledgment of it. While the company may have already informed partners, it did not reveal the breach publicly until this week, after Rajaharia’s discovery of the dumped data.
“Perhaps the biggest concern is the dwell time,” acknowledged Saryu Nayyar, CEO of unified security and risk analytics firm Gurucul. “The breach happening mid-August 2020 and only being reported now, indicates there may have been some gaps in Juspay’s security stack or their security operations process.”
Indeed, in its statement Juspay appeared to downplay the breach, saying the threat actors didn’t access sensitive data. The company said threat actors breached about 35 million records with “masked card data and card fingerprint (which is non-sensitive information).”
“The masked card data is used for display purposes on merchant UI and cannot be used for completing a transaction,” according to the statement.
However, Juspay did acknowledge the compromise of some data records containing non-anonymized, plain-text email and phone numbers, as well as anonymous metadata for 100 million processed transactions, a subset of which contained email and mobile information.
Juspay’s delayed approach to revealing the breach has some, including Rajaharia, calling for the company to be investigated by Indian authorities on Twitter for its lack of immediate disclosure.