After facing a potential data leak in 2019, Justdial is once again in the news for a similar vulnerability in its database that exposed sensitive personally identifiable information of over 100 Mn users, according to cybersecurity researcher Rajshekhar Rajaharia, who had also flagged the earlier flaw in 2019. While Justdial has fixed the vulnerability that left its application programming interface (APIs) unprotected, the data has seemingly been in the open since March 2020, Rajaharia added.
The unprotected database contained PII data such as names of users, their email addresses, mobile numbers and dates of birth of users. This is the same vulnerability that was reported in 2019, which was later fixed by Justdial. However, it seems that the leak was not fixed completely as indicated by this latest incident.
With more than 25 verticals on its website, Justdial started as a phone-based local directory. The company currently offers services such as bills and recharge, grocery and food delivery, and handles bookings for restaurants, cabs, movie tickets, flight tickets, events and more.
Earlier this month, Reliance Retail acquired a controlling stake in Justdial for INR 3,497 Cr. Justdial has branches in 11 cities across India with an on-ground presence in over 250 Indian cities covering more than 11K postal codes. The Mumbai-based company listed publicly in May 2013. It claims to have an extensive database of around 30.4 Mn listings and with 129.1 Mn quarterly unique users.
While the existence of an unprotected database does not mean that unauthorised personnel had access to Justdial user data, it does open up the possibility that this data might have been used by malicious actors to initiate SMS bombardment campaigns or other forms of phishing activity. Inc42 has reached out to Justdial for a response on the latest data leak, and we will update the story with the company’s responses as soon as we receive them.
Besides Justdial, major companies such as Domino’s India have also been caught in potential data breaches this year. In May, data related to over 18 Cr orders from pizza chain Domino’s India appeared on the dark web and the database was made public by the hacker or hacking group behind the leak. A threat actor claimed to have stolen 13 TB of data from Domino’s India, putting the personal information of 250 employees across functions, as well as customer details from 18 Cr orders. The data included names, email addresses, mobile numbers, GPS coordinates and other info related to Domino’s orders.
Another major data leak this year involved fintech startup MobiKwik, which denied claims about a data breach impacting 100 Mn users. Many experts called it the biggest data leak from an Indian tech startup. The leaked data is said to impact Mobikwik’s individual customers as well as the merchants that have procured loans from the company. First spotted by Rajaharia, the database contains user records for 11 Cr Mobikwik users with a whopping 8.2 TB of data.