At the beginning of this week, a group of cybersecurity researchers revealed the finding of a vulnerability found in millions of users of BHIM, a mobile payment app developed in India. Vpnmentor, one of the world’s largest virtual private network (VPN) companies, claims that the vulnerability led to a data breach that has affected the app’s users.

Vpnmentor experts also mentioned that a website operated by the Indian government and dedicated to boosting technologies such as BHIM exposed the information of millions of users. This information could be used by cybercriminals to deploy malicious campaigns.

In this regard, a representative of the National Payment Corporation of India (NPCI) states that the data stored by the BHIM app, which has more than 130 million downloads, were not compromised: “On the other hand, developers of the affected website could have avoided this incident if they had implemented the basic security measures,” he said. 

A while ago, the Ministry of Electronics and Information Technology launched an initiative called the Common Services Center-BHIM, which has a portal used by field agents as part of a campaign to drive the adoption of the payment system. Vpnmentor claims that the data in this campaign was stored in an Amazon Web Services (AWS) bucket with configuration failures, so any user on the Internet could access this information, exposing millions of users.  

Although an exact number of affected users has not been revealed, the company claims that this is an unprecedented fact of extraordinary scopes (mentioned that more than 400GB could have been compromised). The authorities argue that this is not the time to go into speculation, and that official information will be disclosed as soon as possible. The app was launched in 2016 and since then considerable efforts have been invested in chewing up its use.

The incident was detected last April 23 and the Indian Computer Emergency Response Team was contacted on April 28. Cert-IN responded the next day.

In the report unveiled by Vpnmentor, cybersecurity researchers Noam Rotem and Ran Locar said that the large volume of private and sensitive data exposed, along with UPI IDs, document scans and more, makes this breach a serious privacy problem for one of the most complex data privacy environments in the world.