Over 100 Million JustDial Users’ Personal Data Found Exposed On the Internet

Posted on by Dissent

Remember what I said earlier today about India being a data protection mess? Here’s another example. Mohit Kumar reports:

An unprotected database belonging to JustDial, India’s largest local search service, is leaking personally identifiable information of its every customer in real-time who accessed the service via its website, mobile app, or even by calling on its fancy “88888 88888” customer care number, The Hacker News has learned and independently verified.

Founded over two decades ago, JustDial (JD) is the oldest and leading local search engine in India that allows users to find relevant nearby providers and vendors of various products and services quickly while helping businesses listed in JD to market their offerings.

Rajshekhar Rajaharia, an independent security researcher, yesterday contacted The Hacker News and shared details of how an unprotected, publicly accessible API endpoint of JustDial’s database can be accessed by anyone to view profile information of over 100 million users associated with their mobile numbers.

Read more on The Hacker News.  JustDial subsequently responded with the following statement (courtesy of THN’s Twitter account):

As TheHackerNews notes in their Twitter thread on this matter (begins here), THN did not declare this a data breach. That said, they do take exception to certain claims by JustDial.  As one example, THN tweets:

Statement says, “older versions cater to only a tiny fraction of users.”

Incorrect. we have verified that old APIs (exist since 2015) were fetching data from database to which the new protected APIs are also connected.

Hence, leaking profile data of even the very latest users.

So, this is still an openly disputed incident with more follow-ups by THN and JustDial likely.

Category: Breach IncidentsExposureNon-U.S.