- JustDial info-provider has been leaking live account data since mid-2015.
- Anyone can access PII details of about 100 million customer accounts, and those that are being added.
- The company has not secured the leaky database, nor have they issued an official statement yet.
An unprotected database that belongs to the India-based local internet search provider “JustDial” has exposed the sensitive data of about 100 million of the company’s customers. The database contains the profiles of the clients who access the JustDial services on the web platform, the mobile app, or via the telephone line, and according to the reports, the unprotected APIs that kept the door open exist since at least the summer of 2015. JustDial has not issued an official statement about the discovery yet and considering that they have not responded to the warning messages of the researcher who made the revelation, they are not likely to do anything about it soon.
Does Anyone know the way to contact Justdial. Contacted #JustDial on 12th via ContactUs Page but no responce. #dataleak #CyberSecurity #dataprotection #GDPR #privacy #breach #CyberAttack #business #hack #Hacker #tech #technology #DigitalIndia #datasecurity #infosec #cyber pic.twitter.com/cGqexg0Zt0
— Rajshekhar Rajaharia (@rajaharia) April 16, 2019
Indian researcher Rajshekhar Rajaharia has sent a warning message to JustDial by using their “ContactUs” communication form on 12 April, but since no answer was received after five days, he decided to make the discovery publicly known. After all, 100 million users is the equivalent of the population of the Philippines, so you can’t just stand there and wait for the company to stumble upon your warning message at some point in the future. Besides the large number of compromised users, the type of data also makes the situation very severe.
A user’s profile includes their real name, email, mobile number, gender DoB, home address, photo, company, occupation, and even more. To figure out whether the unprotected database was connected to a “live” server or a backup, the researcher collaborated with the HackerNews who created a new account by calling JustDial. The researcher received the new credentials and confirmed their addition to the accessible database, so the real-time connection is to a production server and not a backup.
While fiddling and exploring within the database, Rajaharia has also found a way to trigger massive opt-out requests for the registered accounts, spamming the customers with messages and causing trouble to JustDial. Maybe if he decided to go on with this approach, the company would have noticed that something suspicious is going on. If the publicity of this still does not reach JustDial’s ears, the researcher will have to resort to practices like this one. Hopefully, he won’t have to.
What do you consider a fair penalty for companies who don’t handle the data of 100 million customers with the proper responsibility? Is the loss in customer trust enough in its own right? Share your thoughts in the comments section below, and don’t forget to check our socials on Facebook and Twitter, for more fresh news like this one.