India-based travel booking site Yatra suffered a data breach in 2013 compromised over 5 million records including email addresses, physical addresses, plain-text passwords, phone numbers and postal PIN codes. The data breach, which has only just come to light, was first uncovered by data breach recorder Vigilante.pw.
Security researcher Troy Hunt's Have I Been Pwned service tweeted that the breach occurred back in 2013. However, it is not immediately clear if the company ever notified Yatra users about the intrusion.
Have I Been Pwned tweeted that 60% of the compromised email addresses were already found in its database.
The company has yet to publicly comment on the breach and HIBP's findings.
However, users are advised to immediately change their passwords on Yatra and other services if you happen to use the same login credentials across multiple sites and services.
Although this isn't the first data breach affecting an India-based company being thrust into the spotlight, very few firms publicly disclose data breaches and leaks.
In 2017, online restaurant search and review service Zomato notified customers of a data breach in which 17 million user records were stolen from the company's database. The firm acknowledged the breach after a dark web vendor was found selling Zomato user data for about $1000 in bitcoins.
However, this trend could prove to be problematic after the EU's new General Data Protection Regulation (GDPR) went into effect in May. The strict data privacy regulation applies to any company that processes, stores or uses data related to an EU citizen. Companies that fail to comply could face hefty fines up to 4% of their global revenue or £20 million, whichever is higher.