Cyber Incident Victim: Yatra Online Pvt Ltd
Date:
Jul 2013
Location:
India
Summary
A data breach at Yatra.com exposed approximately five million customer records containing personally identifiable information and credentials, including email addresses, physical addresses, dates of birth, phone numbers, PINs, and passwords stored in plain text. The incident was identified and reported by third-party breach-tracking services rather than the company itself, with no official communication acknowledging the compromise. The exposed data posed significant privacy risks due to the sensitivity of the information involved and the insecure storage of authentication details.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In July 2018, the Have I Been Pwned (HIBP) service disclosed a data breach affecting the Indian online travel platform Yatra.com, involving approximately 5,033,997 user accounts. The breach originated from a 2013 incident, though its public identification occurred five years later through HIBP’s analysis of third-party breach databases. Exposed records included personally identifiable information such as email addresses, physical addresses, dates of birth, and phone numbers. Notably, the compromised data contained both account passwords and PINs stored in plain text, eliminating cryptographic protections that could have hindered unauthorized access. The breach dataset was initially identified by Vigilante, a separate breach aggregation service, before HIBP validated and publicized the findings via Twitter. No technical details regarding the breach methodology—such as intrusion vectors, attacker identities, or internal detection timelines—were disclosed in available reports. The scale of the incident positioned it among significant breaches within India’s digital commerce sector at the time, coinciding with heightened public scrutiny of data security practices following multiple high-profile cybersecurity incidents globally.
Yatra.com did not issue formal communications to affected users or public statements acknowledging the breach at the time of HIBP’s disclosure, contrasting with contemporaneous breach responses from companies like Zomato, which proactively notified users and mandated password resets. The absence of direct notification left users reliant on third-party services like HIBP to determine potential exposure. Vigilante’s role as the primary source of breach validation indicated that external researchers, rather than Yatra.com’s internal security teams, identified the compromised data. The breach’s public emergence occurred amid intensifying debates regarding consumer privacy rights and corporate accountability in India, particularly concerning the storage of sensitive data like plaintext credentials. While the article referenced general risks of password reuse across multiple platforms, it did not document specific instances of fraud or financial harm directly linked to the Yatra.com breach. The longevity of the exposed data—remaining undetected for five years—highlighted challenges in breach discovery and disclosure timelines within the travel and e-commerce sectors.