Developing Story: Updates at end
In what can be termed as one of the most disastrous online incidents, hackers have managed to get pass the "whatsoever security" implemented by India's leading payment gateway - CCAvenue. It is being said that the hack has been made possible by "Hidden SQL Injection".
SQL Injection took down a website that deals in Money, are you kidding me?
SQL Injections (read more) happen to be one of the basic methodologies that power online hacking and the so called India's leading payment gateway did not have any protection for it. This comes from a report on Hackerregiment.com and the website has apparently gone down now.
Here is what all the hackers have laid their hands on:
- All administrative passwords at CCAvenue
- list of databases
- some information on tables within the databases
Hackerregiment received an e-mail from a hacker who goes by the name, which had screenshots suggesting that all administrator passwords at CCAvenue may have been leaked.
However, the CEO of CCAvenue - Vishwas Patel has clarified that more than 85-90% of the transactions on CCAvenue are netbanking and non-credit cards related and such transactions go through the bank server, where the end customer enters usernames and passwords. CCAvenue does not store any such important information on their servers as required by Payment Card Industry Data Security Standards. So, users essentially entered all the data on the bank servers and CCAvenue is just a redirector.
Update 2: The CEO of CCAvenue claims that passwords on CCAvenue are encrypted. However, one Heytal R says on Twitter that when he used "forgot password" on CCAvenue he got back his plain text password back. If the passwords are encrypted and hashed (as the CEO says) users should not be able to see their passwords again rather they should be sent a link to reset their passwords.
Update 1: Here is a link to the original copy of the email which was received by Hackerregiment.