A significant security vulnerability in Dukaan, a prominent Indian e-commerce platform, has potentially exposed millions of dollars in merchant funds and sensitive customer data. The breach, which remained undetected for over two years, could have allowed attackers to drain funds through fraudulent transactions and exploit personal information for various malicious purposes.
Key Takeaways
- Dukaan's unsecured data stream exposed payment gateway tokens, risking millions in merchant funds.
- Authentication tokens for major payment processors like Stripe, PayPal, and RazorPay were compromised.
- The security lapse persisted for over two years, providing ample opportunity for data theft.
- Attackers could have facilitated fake payments, refunds, and continuous financial abuse.
The Extent of The Breach
Cybernews researchers uncovered a publicly accessible Apache Kafka broker associated with Dukaan, continuously streaming vast amounts of data. This instance was indexed publicly since August 2023, meaning sensitive information may have been accessible for an extended period. Dukaan, which supports over 3.5 million merchants and serves 16 million customers globally, faced a substantial risk due to this prolonged exposure.
Compromised Data
The leaked data included a wide range of sensitive information, such as:
- Authentication tokens for payment gateways
- End-user order details
- Information about visited stores and purchased items
- Customer names, email addresses, and phone numbers
- Home addresses
Potential for Massive Financial Loss
Beyond personal customer data, the exposure of authentication tokens for payment processors like Stripe, PayPal, and RazorPay presents the most alarming threat. These tokens could grant attackers direct access to merchant accounts, enabling them to:
- Access and potentially steal customer payment information, including card numbers and CVV codes.
- Initiate unauthorized fake payments or refunds to siphon funds.
- Exploit transaction histories for targeted financial scams.
Financially motivated threat actors, or even sophisticated groups like North Korea's Lazarus Group, could have exploited this vulnerability. By initiating small test orders, attackers could have captured transaction logs, extracted payment tokens, and rerouted funds, potentially leading to hundreds of millions of dollars in financial losses over time. The prolonged nature of the undetected breach exacerbates the risk of continuous, small-scale financial abuse.
Broader Implications
While the financial implications are severe, the leaked personal details of millions of buyers also pose significant risks. This data can be weaponized for identity theft, sophisticated phishing campaigns, and doxxing attempts. Cybernews has alerted Dukaan and India's CERT. While the data leak has reportedly been secured, the company has not yet issued an official statement.
