3 more Indian firms hacked, 1.13 cr users' data at risk: Researcher

Image Source: IANS News

Image Source: IANS News

New Delhi, January 6 (IANS): After hacking masked credit and debit card data of crores of Juspay users, the same hacker possibly known as 'ShinyHunters' is now selling databases belonging to three more Indian companies on Dark Web, independent cyber security researcher Rajshekhar Rajaharia claimed on Wednesday.

According to Rajaharia who first broke the JusPay hacking, the three Indian companies are e-marketplace ClickIndia, fintech startup for small business owners ChqBook and wedding planning website WedMeGood.

"Nearly 80 lakh users of ClickIndia (name, email, mobile and other personal details), 10 lakh users of ChqBook (name, email, mobile, full address and other personal details) and 13 lakh users of WedMeGood (name, email, hashed password, other sensitive personal information)," Rajaharia told IANS.

Like JusPay, these three companies have also not allegedly told the users about the data breach, claimed the security researcher.

The names of the three Indian companies were first reported by BleepingComputer website, saying that a "data breach broker is selling the allegedly stolen user records for 26 companies on a hacker forum".

ChqBook denied the attack while the other two companies were yet to react to the report.

According to Sonit Jain, CEO of GajShield Infotech, such incidents, once confirmed irrespective of data sensitivity, leaves a negative impression over the digital payment platforms.

"Simple data like email ID and phone number which may not look sensitive can turn out to be lethal means of financial fraud at personal level, if fallen in wrong hands," Jain told IANS.

Bengaluru-based digital payments gateway JusPay said in an earlier statement that the company verified that their Secure Data Store, which hosts the confidential card numbers, was not accessed or compromised.

"Thus, all our customers were secure from any kind of risk. Our priority was to inform the merchants and as a measure of abundant precaution, they were issued fresh API keys though it was later verified that even the API keys in use were safe," the company said.

According to Rajaharia, the hacker is the same who leaked BigBasket data, previously reported by the cybersecurity firm Cyble.

In November last year, one of India's popular online grocery stores BigBasket, found that its data of over 20 million users had been hacked and were on sale on the dark web for over $40,000.

"Now, the same hacker group is asking about $10,000 in Bitcoin for the BigBasket database and is also selling the three companies' databases," Rajaharia said.

"There is a strong connection between all these recent data leaks, including BigBasket," he added.

US-based third-party cyber intelligence firm Cyble claimed in its official blog that though the alleged breach occurred on October 14, it detected it on October 30, validated it on October 31 and informed BigBasket on November 1.

The user database was estimated to be about 20 million, with names, email ids, password hashes, pin, contact numbers, addresses, date of birth, location and IP addresses of login.

JusPay on Tuesday said that about 3.5 crore records with masked card data and card fingerprint were compromised by the hacker and the claim of 10 crore cardholders' data being affected is "incorrect".