A New York-based payment processor startup Paay was reported unsecured for weeks, leaving millions of credit card transactions in the open, according to a report by TechCrunch.
Security researcher Anurag Sen found the database open for anyone on the Internet to see, belonging to a card payment processor Paay. According to Sen, the database contains about 2.5 million card records belonging to not only consumers but also small businesses and online stores.
Sen reported the incident to TechCrunch before the company contacted Paay on his behalf. Afterward, Paay reportedly pulled out the database, leaving it offline.
According to the company co-founder Yitz Mendlowitz, the situation was caused by a security error that left the database exposed. Paay also mentioned that the error came in a transition between servers, which left the database unprotected.
“On April 3, we spun up a new instance on a service we are currently in the process of deprecating. An error was made that left that database exposed without a password,” said Mendlowitz.
The payment processor startup confirmed that the database contained daily card transaction records dating back to September 2019. According to TechCrunch, each transaction contained a full plaintext credit card number, expiry date, and the amount spent on the card.
Meanwhile, Paay denied the findings and said ‘We don’t store card numbers, as we have no use for them.’ TechCrunch sent a portion of the database showing the card numbers but Mendlowitz did not respond to follow up.
With the information compromised in the data breach, hackers can easily use the data stolen to access card services. Inputting the card numbers and the date of expiry provides hackers an entry ticket to hack credit cards easily.
Paay said they are already working with a forensic auditor to understand the scope of the security lapse. The company also informed about 15 to 20 merchants about the data breach incident.
Unprotected Files and Database
Paay isn’t the first payment processor to admit security lapse this year. Earlier this month, security researcher Sen also found another payment processor who exposed 6.7 million credit card transaction records online.
Two payment sites courtpay.org and utilitypay.org left database exposed representing years of transactions. The directory contained payee’s names, postal addresses, email addresses, and phone numbers.
Additionally, the payer’s last four digits of credit cards were exposed, along with the card’s expiry date.