JustDial’s Data Breach Involves Over 100 Million Users

There is a new data breach happened recently that exposed the information of over 100 million people. The company at fault of this scandal is JustDial, a firm providing local search for different services in India. What was leaked are names, emails, mobile numbers, gender, address, and D.O.B. The incident was first reported by Rajshekhar Rajaharia, a security researcher & growth hacker, on his Facebook page.

According to Rajaharia, 7 out of 10 cases in this incident have used JustDial’s customer care number. Other information like users’ occupation, which is required when they sign up for its service is also leaked. He had tried to contact the company as well as its security team but failed.

Rajaharia’s report reveals that the leading cause of this data breach is an API endpoint that lets anyone online gets access. This endpoint has been around since 2015, and no one can be sure if a similar breach had happened, but we did not know about it. If someone wants to harvest these data, they can do it in real-time with the API weakness.

Please note that the problematic API endpoint is no longer in use and JustDial has a new, protected one now that can protect these data. With this improvement, the new website is more secure than the old one. However, Rajaharia has found more than one API endpoints that can open the door for identity theft.

According to The Economic Times, JustDial had contacted Rajaharia about this incident, but at the time of writing, the issue has not been fixed yet. The company also denied the claim of a data breach, saying that they had encrypted the old apps and there has been no leak regarding financial information. There is also a tech-audit in charge of finding such an issue and deal with it if there is.