Details of over 37,000 customers registered with financial service provider BharatPay were hacked. The leaked information, such as usernames, passwords, phone numbers, email addresses and UPI IDs, was found on a cybercrime forum. The data also included sensitive information of employees from their 32 partner banks. This hack has put the financial information of the 37,000 users at risk of further exploitation like spear-phishing, smishing, ransomware and social engineering attacks.
Major banks vulnerable to this hack
Details regarding the API configurations were also hacked, making way to further damage as it would allow access to financial plans, deductions, discounts etc. The stolen data was sold for less than eight credit points on the cybercrime forum.
The partner banks affected by the BharatPay hack include Axis Bank, HDFC, Punjab National Bank, Reserve Bank of India, State Bank of India, and Yes Bank, among others. BharatPay operates in 11 states and has over 50,000 retail outlets.
Outdated technology made the hack easier
Upon investigation, it was found that the outdated software version that was still used made hacking easier for cybercriminals. The researchers from CloudSEK found an outdated software version from October 2020 was being used. The PHP version of the software was 4.9.7. Moreover, they also continued using the outdated jQuery modules that use the 2014 version.
An independent security researcher, Sunny Nehra said to ET CISO “The outdated jQuery has prototype pollution and other flaws as well.” A sample of the outdated jQuery module is, “/*! jQuery v2.1.1 | (c) 2005, 2014 jQuery Foundation, Inc. | jquery.org/license */.
Security measures suggested by experts and researchers
As per CloudSEK researchers, it is recommended that the companies patch vulnerable and exploitable endpoints and not store passwords in cleartext. Enabling multi-factor authentication is also stressed as a security measure. Since the hacker may have propagated a Denial of Service (DoS) or remote code execution attack, researchers ask service providers to scan anomalies in user accounts for possible account takeovers.
Mitigation activities have been implemented by BharatPay security personnel and the victims of the BharatPay hack have been informed about the incident.
