Cybersecurity attacks dealing with sensitive information from customers aren’t new in the world of security. Attackers often manage to exploit vulnerabilities and steal well-encrypted information from system servers. In the latest news, confidential information of more than 100 million credit card and debit card users has become available on the Dark Web.
Hackers leak private data
The data contains a wide variety of information, like the name, phone numbers, email address, and the first and last four digits of the credit/debit card. According to security experts, attackers have stolen this data from a service called Juspay.
Juspay had announced earlier that attackers had access to its customers’ confidential data between March 2017 and August 2020. While the attackers could not find full payment information or transaction-specific data, various sensitive information such as masked credit card numbers and expiry dates are available in the data dump.
It is worth noting that Juspay handles thousands of transactions every day, serving popular services like Swiggy, Amazon, MakeMyTrip, etc. It means the data of those who may have used the services could be on the data dump you can find within the dump.
According to security researchers who have been exploring the data on the dark web, hackers are trying to sell this information for a high price. In most cases, the seller had asked for payments in Bitcoin while giving access to the entire data dump.
Considering that Juspay has lost such a variety of information, it could easily be used to conduct phishing-based attacks. Provided that the attacker has all the basic information, such as the masked credit/debit card numbers, it won’t be challenging to convince the victim further and submit the next level of details via phishing attacks.
Although Juspay admitted that its data was compromised between 2017 and 2020, it has not yet revealed more information about the attack. It maintains that the system has not compromised any sensitive data that could instantly harm the customers.
While that may be technically true, the statement overlooks the impact of losing email-phone number combinations that phishing attackers have a great time with.