Juspay data breach could have far-reaching consequences



The nightmare of the Juspay data breach is far from over for the company and its customers. There’s a huge cache of critical customer data up for sale on the dark web, and although some of the data might by encrypted, cybersecurity researchers believe it’s just a matter of time before hackers crack the code.

Earlier this month Juspay revealed that it discovered the breach on 18 August, when an automatic system alert was triggered due to a sudden increase in the usage of system resources on a server that formed part of its payment system. Following the discovery, Juspay said it terminated the affected server and sealed the entry point for the intrusion.

In wake of the incident, Juspay carried out a full-scale system audit and informed its merchants of the cyberattack the same day. The investigation revealed that hackers were able to gain unauthorized access by exploiting an unrecycled Amazon Web Services (AWS) access key. According to Juspay, close to 35 million customer accounts with masked card data and card fingerprints were breached.

However, Rajshekhar Rajaharia, an independent cybersecurity researcher and former crime analyst for the Indian government who first highlighted the data leak, said the number could be higher: “When the seller on the dark web sent a sample of the dataset, it comprised the entire MySQL data dump, which consists of 10 crore (100 million) customer accounts.”

The seller, going by the name “Data” in dark-web circles, put the stolen data on Øbin.net, a Pastebin-like site that encrypts the documents it hosts, allowing users to share the encryption key and download link with others. The seller also used the Telegram messaging app to carry out negotiations and bargains. Telegram is popular with hackers as it enables them to set self-destruct timers on messages and media.

“The hacker started at $8000 (roughly ₹590,000) as the asking price for the data, then stepped down to $6000. He ultimately settled for $5000 for the Juspay data dump,” said Rajaharia. 

Copyright © 2021 IDG Communications, Inc.


Source link