Cyber Incident Victim: BharatPay
Date:
Aug 2022
Location:
India
Summary
A financial services provider experienced a significant data breach exposing personal and transactional details of approximately 37,000 users, including names, hashed passwords, phone numbers, UPI IDs, bank balances, and multi-year transaction records. The leak also compromised official employee contact information from partner banks, API keys for critical utilities, and callback logs containing sensitive transaction data, heightening risks of phishing, smishing, and ransomware attacks. The breach originated from vulnerabilities in outdated software components enabling prototype pollution and remote code execution. A threat actor linked to prior attacks against other financial institutions claimed responsibility for accessing and leaking the database, though the organization has not publicly detailed its remediation plans.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On August 16, 2022, cybersecurity researchers disclosed a data breach impacting BharatPe (referenced as BharatPay in initial reports), involving the leak of sensitive customer and institutional data from its backend systems. The compromised database contained personal and financial details of approximately 37,000 users, including names, mobile phone numbers, UPI IDs, and hashed passwords. Transaction records spanning February 2018 to August 2022—encompassing bank balances, payment histories, and callback logs with transaction-specific metadata—were exposed alongside API keys for utility and bill payment services. The breach also affected 32 partner banks and financial institutions, with employee contact information and official email addresses from Indian insurance and banking firms appearing in the leaked dataset. Researchers from CloudSEK identified the data being advertised for sale on a cybercrime forum, attributing the intrusion to a threat actor active since March 2022 who previously targeted Manappuram Finance and Airtel Payments Bank.
Technical analysis revealed that outdated software components—specifically jQuery version 2014 and PHP 4.9.7—enabled prototype pollution vulnerabilities and remote code execution, facilitating unauthorized access to BharatPe’s systems. The exposure of callback logs and API keys created risks of transaction manipulation and unauthorized third-party service integrations. Researchers emphasized that the leaked personal data elevated threats of phishing, smishing (SMS phishing), and ransomware attacks against affected users and institutional employees. BharatPe had not publicly confirmed the breach’s operational impact, remediation timeline, or customer notification plans at the time of reporting. No details regarding breach detection methods, containment measures, or forensic investigations were disclosed in available sources.