An unprotected database belonging to JustDial, India’s largest local search service, is leaking personally identifiable information of its every customer in real-time who accessed the service via its website, mobile app, or even by calling on its fancy “88888 88888” customer care number, The Hacker News has learned and independently verified.
Founded over two decades ago, JustDial (JD) is the oldest and leading local search engine in India that allows users to find relevant nearby providers and vendors of various products and services quickly while helping businesses listed in JD to market their offerings.
Rajshekhar Rajaharia, an independent security researcher, yesterday contacted The Hacker News and shared details of how an unprotected, publicly accessible API endpoint of JustDial’s database can be accessed by anyone to view profile information of over 100 million users associated with their mobile numbers.
The leaked data includes JustDial users’ name, email, mobile number, address, gender, date of birth, photo, occupation, company name they are working with—basically whatever profile related information a customer ever provided to the company.
Though the unprotected APIs exist since at least mid-2015, it’s not clear if anyone has misused it to gather personal information on JustDial users.
images from Hacker News