Juspay, the Payment Platform of Leading Online Merchants Amazon and Swiggy Suffers Data Breach

 

Juspay, the payment processor of prime online merchants like Amazon and Swiggy was hit by a massive data breach and now more than ‘3.5 Crore users critical card information is available for sale on the dark web’. Rajshekhar Rajaharia an independent cybersecurity researcher spotted the whole incident when an anonymous person put the stolen database for sale on the dark web and was trading via telegram. 

Juspay witnesses nearly 650k transactions per day and is an ally of leading online giants like Amazon, Swiggy, BookMyShow, MakeMyTrip, Snapdeal, Freecharge, and Yatra. The company’s data store suffered a data breach in August 2020 which compromised 3.5 Crore records. 

The screenshots of sensitive information of cardholders which includes the last four digits of the card, bank name, expiry month, and year are floating around the dark web. Juspay asserted no sensitive information regarding user card numbers or bank information is breached. 

Juspay, a Bangalore-based company acknowledged in their statement that “An old unrecycled AWS access key was exploited and that enabled the unauthorized access. An automatic system alert was triggered due to a sudden increase in the usage of the system resources on the data store. Our incident response team immediately engaged and was able to trace the intrusion and stop it. The server used in the hack was terminated and the entry point for this intrusion was sealed”. The company also asserted that the company does not store the critical information like PINs, Passwords or CVV and therefore the data was not breached. 

Juspay claimed that only non-sensitive information like the user masked card data and card fingerprints was leaked and no critical information regarding API keys, transactional data or source was leaked’. Following the breach, the company is working to strengthen its security system and has imposed 2-factor authentications for entire devices in the company, and has also reprocessed all previous credentials as a more secure option.

Cybersecurity expert Rajshekhar Rajaharia claimed that ‘the data breach could be a lot more threatening if the hackers figure out the way to encrypt the algorithm which is used to hash card numbers’.