Over 100 Million Justdial Users’ Personal Data Found Exposed On the Internet (Apr 17, 2019)
The Indian local search company, “Justdial,” which is India’s largest local search company, was observed to be leaking its customers’ Personally Identifiable Information (PII), according to security researcher Rajshekhar Rajaharia. Rajaharia discovered that Justdial was using an API endpoint that contained a database storing customer data that was publicly accessible since at least mid-2015. The information observed to be stored in the database consists of: address, cell phone number, company name, date of birth, email address, gender, name, occupation, photo, and any other data a user provided to Justdial.
Recommendation: It is crucial for your company to verify that access control is configured correctly prior to adding any sensitive data. As this story portrays, a misconfigured software can cause leaks of sensitive information, which could be used for further malicious activity, and cause significant harm to a company’s reputation. Furthermore, Justdial users should be aware of potential phishing activity that could be crafted with associated information to make the emails appear more legitimate.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.