JustDial search service in India encounters a data breach of over 100 Million of its customer’s data. This includes their personal information such as their names, email address, contact number, gender, birth date, occupation, and company name – in a nutshell, every profile related information provided by every customer to JustDial.
Rajshekhar Rajaharia is the independent security researcher who reported the leak via a Facebook post shown below:
Rajshekhar mentioned that 70% of the data that were made public are from the users who called the JustDial’s Customer care number: 88888 88888. Four application program interfaces (APIs) had remained vulnerable over these years, as per Rajshekhar.
JustDial is leaking personal information of users in real-time.
A trusted security firm reached out to Rajshekhar to verify if the faulty API is fetching real-time results directly from JustDial Server. The firm dialed the customer service number of JustDial. It provided random personal information with the executive to learn some good restaurants in the city. Immediately after performing the call, Rajshekhar was able to offer them the random details that they have provided with the JustDial customer care. This only proves that the unprotected API is real-time fetching personal information of their customers.
The unprotected API existed since mid – 2015 though it’s connected to the primary JustDial database; Rajshekhar explained that it is not being used by their company and left forgotten on the server.
JustDial already made the following statement:
- They explained that the old version of their Apps only caters to a tiny fraction of their users.
- The vulnerability that existed on their older app has been fixed.
- They have also added that they have implemented an adequate encryption for older API and have initiated an independent tech-audit to identify existing vulnerability
JustDial is an Online Directory for services that also offer Bill payments, Grocery, and Food delivery services.
iZOOlogic is at the cutting edge of monitoring alerts on these types of data breaches. Our commitment to our client-base is to corroborate that we scout for dark web activities that may target their business units and customers through suspected malicious actions.
We diligently approach massive data breaches. As public exposure of Personally Identifiable Information on a large scale is a good starting point for social engineering schemes leading to phishing and social engineering attacks. We urge everyone to take a proactive approach to avoid any future inconvenience.
