Computer Security Personal Info of 100 Million JustDial Customers Leaked

Personal Info of 100 Million JustDial Customers Leaked

justdial data leak breachThe private account information of 100 million users of India-based local search provider JustDial has been leaked online. The unprotected database contains personally identifiable information that is being updated in real-time according to the independent researcher Rajshekhar Rajaharia who first discovered the data breach. Mr. Rajaharia attempted to contact JustDial about the unsecured API that allowed access to the customers' data but after waiting for 5 days and receiving no answer he decided to go public.

Apparently, all JustDial users were affected by the leak regardless of the way they accessed the service - through the mobile app, the website or using the customer support phone number. In fact, around 70% of the information in the database was gathered from people who called the JustDial's "8888 8888" number The breach is quite serious due to the sheer amount of details that may have been viewed by unauthorized third parties as it contains real names, mobile numbers, emails, home addresses, gender, date of birth, photos, occupation and more.

The independent researcher discovered the database with the information through an old API that is no longer being used by JustDial but that has been left on the server. The API in question appears to not have been updated since at mid-2015 so the security breach may have been active for nearly 4 years. There were other old unprotected APIs, one of which could be used to trigger opt-out requests for all registered numbers spamming the affected customers with emails and creating more headaches for JustDial.

Company Denies Security Breach

JustDial issued a statement that refuted the news about their customers' info being leaked, saying that all financial information and account passwords are stored in a double-encrypted format. Furthermore, the company clarified that the old API loophole was fixed while the newer versions of their app do not contain the vulnerability: "This vulnerability which existed on the older app platforms is also now fixed. Newer (current) versions of app where majority of users are available do not have the above vulnerability." JustDial also stated that an independent tech-audit will be conducted to search for any existing vulnerabilities.

Loading...