Once again, the data of millions of customers was threatened following a security lapse. This time, the affected firm appears to be Justdial – an Indian search service. Due to an unprotected database (as discovered), the firm inadvertently leaked details of 100 million users.
Justdial Exposed Records Of 100 Million Users
Recently, a researcher found a leaky database exposing 100 million users’ records. The records allegedly belong to an Indian local search service Justdial. As discovered, the firm inadvertently exposed user records due to a leaky API endpoint relating to their database.
The researcher Rajshekhar Rajaharia first noticed this leakage, who then disclosed it in his tweet. Reportedly, he found publicly accessible 100 million records of Justdial users including their explicit personal details.
#justdial Your 100 Million users data including name, email, mobile, gender, dob, address, photo, company, occupation & other details r publicly accessible. Fix ASAP. DM for Detail #infosec #CyberSecurity #dataprotection #privacy #breach #CyberAttack #India #news #datasecurity pic.twitter.com/nnR0PNMY8o
— Rajshekhar Rajaharia (@rajaharia) April 12, 2019
However, as he couldn’t successfully contact the firm regarding this matter, he approached a third party. They also independently verified his findings and confirmed the leaky API endpoint not only exposed previous records but also fetched fresh results. The incident hence affected all those users as well who ever called on Justdial customer service number 88888 88888.
According to the researcher Rajaharia, the leaky endpoint isn’t a recent one, rather an old API endpoint not currently in use. He came across this API endpoint while pentesting the recent APIs. The researcher also found some other old unprotected API.
“Rajshekhar also found a few other old unprotected APIs, one of which could allow anyone to trigger OPT request for any registered phone number, which might not be a serious security issue, but could be used for spamming users and costing the company.”
Justdial’s Denial Of Breach
Although Rajshekhar Rajaharia made clear observations regarding data exposure, Justdial categorically denied any breach. As reported by ETNow, the company’s CFO Abhishek Bansal said otherwise.
Categorically deny that there was any data breach on our platforms. All data on our platform is secure & protected, clarifies CFO of #Justdial Abhishek Bansal, in an #EXCLUSIVE chat with @Ajaya_buddy pic.twitter.com/BaR5qaUzbY
— ET NOW (@ETNOWlive) April 18, 2019
They went on to say:
It seems the #JustDial story hasn’t ended yet.
JustDial shared a statement with THN, which seems to be common for all publications, but is mostly irrelevant to our story and contradictory to our finding.
Here below in this thread we have shared our response to this statement. pic.twitter.com/DbU8iknfmX
Nonetheless, the researchers maintain their stance of not reporting a breach, rather a vulnerable database exposing user records.
Let’s see what more we hear from the two sides in this regard.