An independent security researcher reported a Justdial security breach, claiming that private data of 100 million users of the local search engine had been exposed. However, the company has refuted the rumours.Sutrishna Ghosh
Hyperlocal search engine Justdial shot down reports that a security breach exposed information of its 100 million users. Earlier this week, several news sites had reported the data leak that allegedly made sensitive user data, including names, email ids, mobile numbers, addresses, company, occupation, and other details, publicly available. All claims were based on the findings of an independent security researcher, who claimed to have discovered a huge loophole in Justdial’s database.
Refuting rumours of a security breach, however, the local search company has since clarified that all sensitive user information, including any financial information as well as any user passwords, are protected as per industry practices. In addition, the company assured that majority of the Justdial platform works on OTP-based authentication.
“Financial information is stored in double-encrypted format and regularly audited by PCI DSS compliant auditing firm,” Justdial confirmed in a statement shared with YourStory.
Rajshekhar Rajaharia, the independent security researcher who reported the breach via social media, on April 12 said he was unable to contact Justdial’s tech/security team to report the security-related issue. He further added that 70 percent of the leaked data belonged to customers who had called Justdial’s customer care number “88888 88888", as per reports.
According to Rajaharia, the data leak took place via an older version on the company’s website which hasn’t been tended to since mid-2015.
In response, Justdial said they had implemented adequate encryption for the older APIs that were impacted.
“The older versions of our apps, which currently cater to only a very small fraction of our users, were using certain APIs by which basis a particular mobile number entered and certain basic user details were accessible (no financial information was accessible). This vulnerability, which existed on the older app platforms, is also now fixed. Newer (current) versions of the app where majority of users are available do not have the above vulnerability,” the company added.
Justdial assured that it had also initiated an independent tech audit to identify any existing vulnerabilities.