BharatPay

BharatPay, also known as BharatPe, is a financial services provider headquartered in India that operates within the digital payments sector. The company offers payment solutions, primarily leveraging the Unified Payments Interface (UPI) system to facilitate transactions for its users. Its services involve managing user accounts that store personal details such as names, phone numbers, and UPI IDs, along with maintaining records of financial transactions and bank balances. The organization's infrastructure integrates with multiple partner banks, a relationship evidenced by the compromise of official employee contact information and API keys during a security incident. This integration allows users to link bank accounts and conduct various financial activities, positioning BharatPay as an intermediary in India's cashless payment ecosystem.

In August 2022, BharatPay suffered a significant data breach that exposed the personal and transactional data of approximately 37,000 users. The leaked information included names, hashed passwords, phone numbers, UPI IDs, bank balances, and multi-year transaction records. The incident also compromised sensitive operational data, such as callback logs containing transaction details and API keys for critical utilities from partner banks. The breach originated from vulnerabilities in outdated software components that enabled prototype pollution and remote code execution. A threat actor with a documented history of attacking financial institutions claimed responsibility for accessing and leaking the database. BharatPay has not publicly detailed its remediation plans following the incident, which heightened risks for affected users through potential phishing, smishing, and ransomware campaigns.