Unprotected database belonging to JustDial exposes personal information of almost 100 million users

• The unprotected database exposed the personal information of almost 100 million users who accessed the service via its website, mobile app, or by calling its customer care number.
• The exposed data includes JustDial users’ names, email addresses, mobile numbers, location addresses, genders, dates of birth, photos, designations, company names, and more.

What is the issue - A security researcher uncovered a database belonging to JustDial that was exposed online without any password protection.

Why it matters - The unprotected database exposed the personal information of almost 100 million users who accessed the service via its website, mobile app, or by calling its customer care number.

What was exposed - The exposed data includes JustDial users’ names, email addresses, mobile numbers, location addresses, genders, dates of birth, photos, designations, company names, and more.

The big picture

An independent security researcher named Rajshekhar Rajaharia uncovered an unprotected database belonging to JustDial.

“#justdial Your 100 Million users data including name, email, mobile, gender, dob, address, photo, company, occupation & other details r publicly accessible. Fix ASAP. DM for Detail,” Rajaharia tweeted.

Upon discovering the leaky database, the security researcher contacted JustDial via its contact page to notify about the database, however, received no response. Rajaharia then contacted The Hacker News and shared the details of the unsecured database.

The security researcher noted that the database’s API endpoint is an old one which is not currently being used by the company but has been left forgotten on the server.

Rajaharia also identified a few other old unprotected APIs that could allow attackers to trigger OTP requests for any registered mobile number, which could then be used for spamming activities.