Data from August Breach of Amazon Partner Juspay Dumped Online

[mood]

Data from August Breach of Amazon Partner Juspay Dumped Online

Researcher discovered info of 35 million credit-card users from an attack on the Indian startup, which handles payments for numerous online marketplaces.

 

 

Data from a breach that occurred five months ago involving Juspay, which handles payments for Amazon and other online retailers in India, has been dumped online, a researcher has found.

 

Security researcher Rajshekhar Rajaharia discovered data of 35 million Indian credit-card holders from a breach of a Juspay server that occurred on Aug. 18, he revealed on Twitter. The data included sensitive information such as the name, mobile number and bank name of customers whose payment info went through the company’s service, Rajaharia said in the tweet, which included an edited screenshot of some of the data.

 

Juspay is a Bengaluru, India-based start-up that partners with leading online retailers to make payment transactions—upwards of 650,000 per day–in India. Merchants with payments going through the service include Amazon, Swiggy, MakeMyTrip, Yatra, Freecharge, BookMyShow and Snapdeal.

 

Juspay discovered the breach during the early morning-hours of Aug. 18, alerted by unauthorized activity in one of the data stores, according to a detailed statement on the company’s website posted Monday and updated Tuesday in response to reports of the incident. Threat actors used an old, unrecycled Amazon Web Services (AWS) access key to gain unauthorized access to the server, which triggered an automatic system alert due to the sudden boost in system resources by the data store, the company said.

 

Juspay responded immediately to the incident and stopped the intrusion, terminated the server used in the attack, and sealed its entry point, according to the statement.

“Within the same day, a system audit was done to make sure the entire category of such issues is prevented, the company said. “Our merchants were informed of the cyberattack on the same day and we worked with them to take various precautionary measures to safeguard information.”

 

Those mitigation steps included refreshing API keys and invalidating the old keys; enforcing 2 Factor Authentication for all of its tools; and moving away from AWS key-based automation, according to the statement. Juspay also has added threat-monitoring tools to its security profile to prevent further attacks.

 

While breaches and subsequent data dumps like this are commonplace these days, what’s worrying in this case is the time lag between the breach and Juspay’s public acknowledgment of it. While the company may have already informed partners, it did not reveal the breach publicly until this week, after Rajaharia’s discovery of the dumped data.

“Perhaps the biggest concern is the dwell time,” acknowledged Saryu Nayyar, CEO of unified security and risk analytic firm Gurucul. “The breach happening mid-August 2020 and only being reported now, indicates there may have been some gaps in Juspay’s security stack or their security operations process.”

 

Indeed, in its statement Juspay appeared to downplay the breach, saying the threat actors didn’t access sensitive data. The company said threat actors breached about 35 million records with “masked card data and card fingerprint (which is non-sensitive information).”

“The masked card data is used for display purposes on merchant UI and cannot be used for completing a transaction,” according to the statement.

 

However, Juspay did acknowledge the compromise of some data records containing non-anonymized, plain-text email and phone numbers, as well as anonymous metadata for 100 million processed transactions, a subset of which contained email and mobile information.

 

Juspay’s delayed approach to revealing the breach has some, including Rajaharia, calling for the company to be investigated by Indian authorities on Twitter for its lack of immediate disclosure.

 

 

Source: Data from August Breach of Amazon Partner Juspay Dumped Online

[aum]

Security Researcher Says Leaked Data Offered for Sale on Darknet

 

JusPay, an Indian online payment platform, acknowledged Monday that it sustained a breach of customer data in August. The announcement came a day after an independent security researcher reported that data on millions of JusPay customers had been offered for sale on a darknet forum.

 

In a blog post, JusPay acknowledged it sustained a breach on Aug. 18, which the company says it immediately addressed. The breach appears to have stemmed from a recycled Amazon Web Services access key that enabled unauthorized access to its databases, the company said.

 

Hackers accessed the company's server containing "masked" card information, card expiration information and mobile telephone numbers, JusPay said. Plus, email IDs were accessed for a subset of its users.

 

"On 18th Aug 2020 during the early hours, we noticed an unauthorized activity in one of our data stores," according to the JusPay blog posted Monday. "Our incident response team immediately engaged and was able to trace the intrusion and stop it. The server used in the hack was terminated, and the entry point for this intrusion was sealed."

 

Scale of Impact

The breach revelation from JusPay came a day after Rajshekhar Rajaharia, an independent cybersecurity researcher, shared information with local news media outlets that he said shows nearly 100 million JusPay customer records are listed for sale on the darknet.

 

The data offered for sale includes 55 million JusPay's customer's names and contact details and 45 million transaction details, including masked debit and credit card information, Rajaharia says. The data is being offered for sale for $8,000, payable in bitcoin, he adds.

 

JusPay says, however, that about 30 million records were accessed in the August data breach. The company also says that users' PIN numbers, CVV numbers or passwords were not compromised in the breach.

 

Rajaharia notes JusPay's masked data that is being offered for sale hid the first six digits of the payment card. The data listed for sale also includes a hash of the entire 16 digits of the card.

 

"So, if those buying the JusPay data have access to hash algorithms, then they can decrypt the masked number, putting nearly 100 million users at the risk of various payment frauds," Rajaharia tells Information Security Media Group.

 

Recent Breaches in India

Over the last several months, several large Indian organizations have been affected by data breaches, leading to stolen data being listed for sale on darknet forums.

 

In December, Rajaharia discovered circulating on darknet forums 2 GB of personally identifiable information, including names, email addresses, contact details, the types of banking accounts used and Permanent Account Numbers, of 7 million debit and credit cardholders in India (see: Personal Details of 7 Million Indian Cardholders Exposed).

 

In October, Dr. Reddy's Laboratories, a multinational pharmaceutical company based in India, which has been testing a COVID-19 vaccine, was the victim of a ransomware attack. The incident forced the firm to shut down plants in India, Brazil, Russia and the U.K. to prevent further spread (see: Indian Pharmaceutical Company Investigates Security Incident).

 

And in September, a hacking campaign targeted India's defense forces, including individual soldiers, with phishing emails and malware designed to steal data, according to Seqrite Cyber Intelligence Labs (see: Hackers Target India's Military).

 

Source