Personal information of around 600,000 customers of the India-based HDFC Bank has allegedly been leaked by hackers on a popular cybercriminal forum.
Update 7 March: In a comment to Privacy Affairs, the official HDFC Bank Twitter account explained that no data breach of any kind took place and no data was leaked to the internet.
Update 6 March: It appears that beginning a few hours ago, on 6 March, a significant number of Indian Twitter users started reporting massive outages, failed transfers and even scam messages on the official HDFC bank mobile app.
Indian users reported on Twitter that none of their initiated transactions are being executed in their online banking accounts. Some users even claimed that when accessing the official HDFC mobile app, they were greeted by a possible scam message.
This is what an Indian Twitter user posted:
Based on the above, it seems that this event is something much bigger than a data breach. It appears that hackers have managed to gain access to core online banking functionality and even hijacked the bank’s mobile app and web platform.
Another Twitter user commented that after executing a transfer the money was taken from their account but never reached its intended destination. This could potentially indicate that the hackers may be able to redirect initiated transfers to their own accounts.
It also appears that the hackers have created a fake Twitter handle responding to all complains with a generic message, instructing people to reach out to the two phone numbers provided. This is likely another attempt at scamming and defrauding users.
The account in question clearly does not belong to HDFC and was created just today, 6 March, for the sole purpose of replying to complaining users on Twitter.
ORIGINAL:
On March 6, 2023, cybercriminals on a popular hacker forum claimed to have obtained a database allegedly belonging to the India-based HDFC Bank. The criminals provided data samples while demanding money for the full database.
The criminals explained that the hack was allegedly obtained just recently, in early March 2023, and contains data from May 2022 to March 2023.
The hackers claim that the data contains extremely sensitive information on client accounts, such as full name, date of birth, phone number, email address, physical address, employment information, credit scores, loan information, and more.
If the leak is genuine, this data could turn out to be a trove for cybercriminals looking to launch spam, scam and phishing campaigns.
Considering that the data lists peoples’ real identity as well as their financial information, this could pose a serious risk. Criminals could specifically target high-value individuals based on their financial history.
The fact that email addresses and physical addresses of clients are also allegedly included in this leak could enable criminals to attempt to hack clients’ banking accounts or other online accounts.
Criminals could also use this information in social engineering attacks where they pretend to be someone exposed by this leak. They could potentially attempt to reach out to the bank’s customer support representatives and try to obtain further sensitive information, such as credit card details or passwords.
Scammers could also use this data to reach out to exposed individuals pretending to be from HDFC Bank, directing them to a fake banking-related web-page where victims will be asked to enter their usernames and passwords.
The criminals could then use that information to access online banking accounts and steal the victims’ funds.
Here is an example of the same data provided by the cybercriminals:
Privacy Affairs has reviewed the samples posted on the hacker forum, and the posted data appears to be genuine, which could indicate that the whole database leaked is also genuine.
The hackers who posted this leak were in the past also responsible for other high-profile leaks that turned out to be genuine, such as the recent data leak affecting the US-based Bank of America.
HDFC Bank is an Indian financial services company. It’s one of the country’s largest private-sector banks by assets. It’s the third-largest company by market capitalization in India. It has over 150,000 employees in the country.
We believe security online security matters and its our mission to make it a safer place.
2 Comments
Ryn
March 9, 2023 3:39 pm
So sad, How come HDFC so careless. Not just HDFC but most of the banks don’t pay attention with their online platforms. This is 2023 bro…
Rituraj Singh Parmar
March 9, 2023 1:24 pm
I am with you on the data security observation.I personally raised the concern many time internally and made a complaint to the regulator.I will am holding some proofs also and many proofs are being damaged by the bank .The case is reported to regulator and filing a case in the court of law for justice .Let’s join hand to fix the data security issue and appropriate penalty to the person and the organisation involved