JustDial data breach: personal details of 100 million users leaked

Names, emails, phone numbers, and addresses of JustDial customers exposed on the internet

Data breach in JustDial leaked details of customers since 2015.

Unprotected database of JustDial led to data leak of millions of search engine provider customers.^[1] Currently, anyone can access personal details of around 100 million Indian user accounts that search via the search service. The leaky endpoint exposes data of all users in real-time, whether they accessed the website, used the mobile app or reached out to the company via the phone number.

According to a Twitter post by Rajshekhar Rajaharia,^[2] outdated APIs were connected to the current database, which allowed access via Google Search or Github.

As it turns out, 70 percent of the leaked data belongs to people who called the customer support number 88888 88888:

Even if one would not have used their app or website, if you ever called their customer service, your data may have been leaked.

The leaked data includes usernames, emails, mobile numbers, addresses, gender, dates of birth, occupation, and workplace details. In other words, all the information provided on the profile is leaked to the internet, allowing anybody to access it publicly. It appears that the Indian-based internet search provider has been leaking these personal details since 2015, although it is not known whether the data was misused by malicious actors^[3]

The company denies the data breach

Rajaharia contacted JustDial, but since they haven't addressed the issue at the time, the discovery was made public. However, after a few days, the company denied all these data breach reports and claimed that the platform works on OTP-based authentication and is secure. Nevertheless, the sensitive information remains accessible for everyone, even after the statement was publicized.^[4]

The independent researcher claims that the issue was related to the older version of the APIs^[5] on the website that hasn't been updated since mid-2015. Although there is still no confirmation from the company that they are securing sensitive information like passwords or financial details, JustDial stated that the issue was fixed with the older app and informed about the process of identifying vulnerabilities:

Financial information is stored in double-encrypted format and regularly audited by PCI DSS compliant auditing firm.

Serious company data breaches: how they happen

A data breach occurs when cybercriminals infiltrate sources like databases and extract sensitive information belonging to users or customers of the targeted firm. There are many methods this can be done: hackers might obtain staff member credentials from previous breaches, abuse unpatched vulnerabilities, or simply access the data on the leaky Amazon S3 bucket, etc.

Once the connection to the computer is established, the attacker can reach the confidential company information or user data and extract those files. One of the most significant data breaches involved hundreds of millions or even billions of records stolen.

April 2019 started with a massive breach in Toyota Japan that affected more than 3.1 Million customers.^[6] More than 20 000 patients impacted by the breach on Health Recovery Services Network when unauthorized IP address accessed the network for a few months and exposed patient Social Security numbers. These are only a few more recent data breaches that affected people around the world.