The Personally Identifiable Information (PII) of approximately 100 million users of local business listing site JustDial was at stake after an Application Programming Interface (API) was left exposed for over a year.
JustDial is an Indian internet technology firm that offers local search for a variety of services in India via phone, Internet, and mobile apps.
However, a fix appears to have protected the PII data, which includes users’ names, gender, profile photos, email addresses, phone numbers, and birthdates.
Rajshekhar Rajaharia, an independent internet security researcher who first tweeted about this on Tuesday, informed BusinessLine that after discovering the data breach, he contacted the organization, and it was patched and fixed promptly.
“The company’s data was exposed since March 2020, though we can’t say yet if they have been leaked. We will only know once JustDial releases an audit report on it,” Rajaharia stated.
Further, he added that JustDial needs an audit because the system may have other flaws. JustDial did not respond to an email requesting a statement.
JustDial became a Mukesh Ambani group firm just ten days ago when Reliance Retail bought a 41% stake in it for $3,497 crore. Bill payments and recharge, groceries and food delivery, and reservations for restaurants, cabs, movie tickets, plane tickets, and events are among the services provided by the organization.
This isn’t the first time the information of JustDial has been leaked. In April 2019, Rajaharia discovered that a similar API was leaking user information in real-time whenever someone called or messaged JustDial via its app or website. The organization stated to have solved the issue, but it appears to have reemerged a year later.
Rajaharia stated, JustDial never reveals the total number of people who have signed up. They disclose the count of active users and merchants, but never the total number, because every time someone dials the platform’s “88888 88888” number, the caller data is saved in JustDial’s database right away. This information is also in danger of being leaked. This data can also be tracked in real-time by the API in question. If an attacker gains access to it, they would be able to quickly extract and upload the data of every JustDial user to the Dark Web.
Many famous online firms and their customers have been the victims of data leaks and carelessness since the pandemic broke last year. MobiKwik, JusPay, Upstox, Bizongo, BigBasket, Dominos India, and even Air India are among them.
As per BusinessLine, Kapil Gupta, co-founder, Volon Cyber Security stated, “Customers need to be notified about any data leak happening in companies so that they can reset accounts and change passwords to protect their data. Though users can sue, raise a complaint, and even ask for damages, under the Right to Privacy or IT Acts, these policies are still open to interpretation. The articulation is not obvious.”
“The proposed Data Protection Bill gives more clarity on accountability of the companies facing a data breach. They have to voluntarily disclose and pay a fine if a data breach happens or they will be punished under the law. But we are still waiting for the DPB,” he added.
Source: https://www.ehackingnews.com/2021/07/data-of-100-million-justdial-customers.html
- 100
- 2019
- 2020
- access
- active
- among
- api
- app
- Application
- apps
- April
- audit
- BigBasket
- Bill
- BP
- breach
- business
- change
- Co-founder
- Companies
- Customers
- cyber
- cyber security
- Dark Web
- data
- data breach
- data leak
- data protection
- Database
- delivery
- DID
- discovered
- events
- facing
- fine
- Firm
- First
- first time
- Fix
- flaws
- food
- food delivery
- Gender
- groceries
- Group
- HTTPS
- india
- information
- Internet
- IT
- Law
- leak
- Leaks
- listing
- local
- Local business
- March
- march 2020
- Merchants
- million
- Mobile
- movie
- names
- numbers
- Offers
- online
- open
- Other
- pandemic
- Passwords
- Pay
- payments
- People
- pii
- platform
- policies
- privacy
- Profile
- Programming
- protect
- protection
- raise
- real-time
- Recharge
- Releases
- reliance
- report
- Restaurants
- retail
- Search
- security
- Services
- So
- stake
- Statement
- system
- Technology
- time
- users
- web
- Website
- WHO
- year
More from E Hacking News
Master Key for Decryption of Kaseya, Leaked on Hacking Forum
Source Node: 1018434
Time Stamp: Aug 12, 2021
India’s Finance Software Powerhouse NSE Blown By EpsilonRed Ransomware
Source Node: 887752
Time Stamp: Jun 8, 2021
Hackers hacked the accounts of employees of government agencies in Russia and more than ten other neighboring countries
Source Node: 1875936
Time Stamp: Sep 23, 2021
Bugs in the Zimbra Server Could Lead to Unrestricted Email Access
Source Node: 995499
Time Stamp: Jul 29, 2021
FBI Told Congress That Ransomware Payments Shouldn’t be Prohibited
Source Node: 1022325
Time Stamp: Aug 11, 2021
BlackMatter & Haron Targeting Firms with Revenue of $100 Million and More
Source Node: 995493
Time Stamp: Jul 29, 2021
Thailand’s Data on 106 Million Visitors has been Breached
Source Node: 1089498
Time Stamp: Sep 23, 2021