Online directory JustDial denied any instance of data breach following reports of information leak of 100 million users. The company said that the data vulnerability only existed in the older version of their app, which has also been fixed since. Even so, JustDial said, no financial information was leaked. They also said that they have initiated an independent tech-audit to identify any existing vulnerability.
In a statement, JustDial said, "The older versions of our apps, which currently cater to only a very small fraction of our users, were using certain APIs by which basis a particular mobile number entered, certain basic user details were accessible (no financial information was accessible). This vulnerability which existed on the older app platforms is also now fixed. Newer (current) versions of app where majority of users are available do not have the above vulnerability. We have implemented adequate encryption for the older APIs which were impacted and have initiated an independent tech-audit to identify any existing vulnerabilities."
This statement comes after an independent security researcher said in Facebook that the local search service faced a data breach on Wednesday that exposed user information to the public. The researcher said that information like names, email IDs, mobile numbers, address, date of birth and gender were publicly available after the JustDial data breach.
The researcher, Rajshekhar Rajaharia, said that 70 per cent of that data was of users who called JustDial's customer care number - 88888 88888. He added that even if one were not using JustDial's app or website and just called that number, their data might have been leaked. Rajaharia further said that this breach happened through an older version of JustDial's website, which has been unattended since mid-2015, a report in The Economic Times mentions.
Rajaharia said that four APIs (application programme interface) had remained unprotected over these years before the JustDial data breach. He, however, said that JustDial got in touch with him and at that time they were not able to fix the issue completely. Rajaharia further mentioned that the newer version of JustDial remains protected from the breach.