Thursday, November 2, 2023

PayHere Data Breach - RESURFACED!

Image from newscutter.lk


Background:

After more than a year since the initial breach in April 2022, the PayHere data breach resurfaced on the dark web in July 2023, causing confusion and concern among Social Media users in Sri Lanka.

Key reason for that is the suspicion whether Helakuru app user data also been impacted as it is owned by the same company behind the Internet Payment Gateway (IPG), PayHere.
Helakuru is a very popular unicode keyboard used by more than 10 million Sri Lankans.


Initial Breach (April 2022):

 Nature of Breach (April 2022):

  • PayHere, the financial technology arm of Bhasha Lanka, suffered a cyberattack in April 2022, leading to a 36 hour service outage.
  • Breach exposed more than 65GB of payment records including over 1.5M unique email addresses. 
  • The data also included IP and physical addresses, names, phone numbers, purchase histories and partially obfuscated credit card data (card type, first 6 and last 4 digits plus expiry date).
  • The attackers defaced the website and published a note on the landing page.
  • The attackers hijacked the SMS gateway and sent messages to some merchants which read as "PayHere is Hacked".
  • As per PayHere, no full credit card numbers were compromised, as they do not store complete card details.

 Company Response and Criticism (April 2022 - July 2023):

  • Initial Delay in Transparency:
    The company faced criticism from experts like Troy Hunt (creator of Have I Been Pwned service) for delayed communication and lack of transparency in educating clients promptly about the incident.
  • Risk of Partial Credit Card Details:
     Hunt emphasized that partial credit card details, if leaked, could still pose risks, highlighting the need for stricter security measures.

 

Company Response and Ongoing Measures (May 2022 - August 2022):

  • PayHere published a detailed report, apologized to affected parties, upgraded systems and engaged BugZero bug bounty program to strengthen security measures.
  • Sri Lanka CERT confirmed no compromise of full card numbers, and the investigation case was closed by Visa and MasterCard card networks after reviewing the incident report.



 Resurfacing of Data (July 2023):

Dark Web Resurfacing (July 27, 2023, and July 29, 2023):

  •   Google One and F-Secure.com highlighted the data breach involving PayHere on the dark web, causing concern among users.
  •   PayHere clarified that this was not a new breach but a recirculation of the same data from the April 2022 incident. They assured that new compromise of systems  have not occured since corrective measures were implemented post the 2022 breach.

 Company's Assurance and Continued Security Measures:

  • PayHere reassured users of their commitment to security, emphasizing constant coordination with cybersecurity experts to maintain the platform's safety.
  • The company acknowledged the need for better transparency, pledging to improve communication and educate clients promptly in the event of any future security incidents.


Are you impacted?

How can you check?

  • Enter email address in HaveIbeenPwned service here and check if your details were listed under PayHere breach.
  • Go to one.google.com, under "Dark web report", click 'Try Now'. Then click 'Run Scan'.

Corrective measures if impacted.

  • Be cautious of phishing emails or text messages and don't click on suspicious links.
  • Implement Multi-Factor-Authentication on your critical accounts where available.
  • Use complex and unique  passswords/passphrases and use a reliable password manager to manage them.
  • Always update your devices (smart phones, laptops, desktops)

 

References

1. Troy Hunt
News on the website
Twitter commentary

2. PayHere Incident Report

3. IZoological

4. Newscutter.lk

5. Yoshlk.me


 


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)