Data Breach in BHIM payment app could lead to exposing 7 million users data. Recently in a blog post by vpnMentor reported a massive data breach could have happened in India’s mobile payments app BHIM.
According to vpnMentor, In a campaign to sign a large number of business merchants and users to the BHIM app across India, all related data is stored in a misconfigured AWS S3 bucket which was publicly accessible.
The scale of expose is massive and affecting millions of users in India. The data was found to be sensitive which can be used for transactions. It may potentially lead to theft, fraud and much more.
It is not a complete database exposure, it contains data from February 2019 which is about 7 million users data.
This misconfigured AWS S3 bucket was named as ‘csc-bhim’ and the team identified the developers behind the website cscbhim.in as the responsible data owners. The vpnMentor team reached the cscbhim team but not replied, later the vpnMentor team reached India’s Computer Emergency Response Team (CERT-In) which deals with cybersecurity in India.
This security vulnerability is discovered on April 23, 2020 and the vulnerability is fixed on May 22, 2020.
Recent Update
National Payment Corporation of India (NPCI) released a press note regarding the data breach. It claims that the data breach didn’t happen. But it did not respond about the misconfigured AWS S3 bucket which has publicly exposed.
Here is the official press note by NPCI
For more related content follow us on Twitter, Telegram, Facebook.
