100 Million Records of ‘JusPay’ Digital Payment Transactions Leaked Online

• A massive pack containing the sensitive details of JusPay users is being offered for purchase on the dark web.
• The types of data include various card-related details, email addresses, and phone numbers.
• JusPay knew about the breach for many months now but still claims it’s nothing serious.

A set of very sensitive details has appeared online in the form of a data leak and is already available for sale on the dark web. The discovery and subsequent reporting come from independent security researcher Rajshekhar Rajaharia, who figured out that the data came from a compromise on the server of ‘JusPay.’

JusPay is a Bengaluru-based electronic payments platform offering mobile apps and one of the most popular and trusted solutions of this kind in the country. As such, the data leak is one of the most important in India in recent years.

The data that is available for purchase on the dark web right now include the following things:

• Card brand
• Card expiry date
• The last four digits of the card
• Card-holder name
• Card fingerprint
• Card ISIN
• Customer ID
• Merchant account ID
• Phone numbers
• Email addresses

In total, there are 100 million records, but not every entry from the above data types is available for all records. Though, at least 20 million are "complete" in that sense, so the leak is pretty much catastrophic for JusPay and its customers. Also, the data seems to derive from last summer, so it’s been some time between the breach incident and the “open” sale of the stolen data, which raises the question of what JusPay did in the meantime.

That’s an interesting part of the story, as JusPay has only now confirmed that the incident occurred on August 18, 2020. The company claims that they responded immediately, so the cyber-attack effects were contained to negligible levels, only exposing non-sensitive and masked card info. However, this doesn’t match the screenshots that crooks share on the dark web as proof of what they have for sale.

Additionally, the firm conceded the leak of plain-text email addresses and phone numbers, which should be a serious reason to secure the circulation of a notice to its userbase. However, they state that these are all “dummy data,” thus having no value for hackers whatsoever.

To further complicate the story, JusPay was involved in recent rumors about a data breach that they have allegedly tried to cover up. Still, that story saw the light under unclear motives, and we couldn’t confirm anything with certainty back then. From what can be confirmed now, there was indeed a data breach last summer, and JusPay knew about it since day one.