The nightmare of the Juspay data breach is far from over for the company and its customers. There\u2019s a huge cache of critical customer data up for sale on the dark web, and although some of the data might by encrypted, cybersecurity researchers believe it\u2019s just a matter of time before hackers crack the code.Earlier this month Juspay revealed that it discovered the breach on 18 August, when an automatic system alert was triggered due to a sudden increase in the usage of system resources on a server that formed part of its payment system. Following the discovery, Juspay said it terminated the affected\u00a0server and sealed the entry point for the intrusion.In wake of the incident, Juspay carried out a full-scale system audit and informed its merchants of the cyberattack the same day.\u00a0The investigation revealed that hackers were able to gain unauthorized access by exploiting an\u00a0unrecycled Amazon Web Services (AWS) access key.\u00a0According to Juspay, close to 35 million customer accounts with masked card data and card fingerprints were breached.However,\u00a0Rajshekhar Rajaharia, an independent cybersecurity researcher\u00a0and former crime analyst for the Indian government who first highlighted the data leak, said the number could be higher: \u201cWhen the\u00a0seller on the dark web sent a sample of the dataset, it comprised the entire MySQL data dump, which consists of 10 crore (100 million) customer accounts.\u201dThe seller, going by the name \u201cData\u201d in dark-web circles, put the stolen data on \u00d8bin.net, a Pastebin-like site that encrypts the documents it hosts, allowing users to share the encryption key and download link with others. The seller also used the Telegram messaging app to carry out negotiations and bargains. Telegram is popular with hackers as\u00a0it enables them to set self-destruct timers on messages and media."The hacker started at $8000 (roughly \u20b9590,000) as the asking price for the data, then stepped down to $6000. He ultimately settled for $5000 for the Juspay data dump,\u201d said Rajaharia.\u00a0In addition to the stolen data from Juspay,\u00a0Rajaharia said the same hacker put up customer information purportedly from three more Indian startups: 8 million stolen customer records from ClickIndia, a classified ad posting site; 1 million customer accounts for sale from ChqBook, a net banking firm for small businesses, and 1.3 million customer accounts from WedMeGood, a matrimonial site.\u00a0\u201cI've been able to verify that the stolen data from ClickIndia and WedMeGood is genuine,\u201d Rajaharia said.Why the Juspay data breach will continue to be a concern \u2014 even years laterJuspay said it protects customer accounts in accordance with the Payment Card Industry Data Security Standard (PCI-DSS). The payments company said it uses masked card data and card fingerprints.The trouble is, card-fingerprinting is not foolproof. Here\u2019s why:Card fingerprints help payment processing companies to detect duplicate cards without having to refer to the card number. The fingerprint is basically a hash value of the 16-digit card number that uniquely identifies the debit or credit card by matching it with the customers\u2019 Permanent Account Number (PAN). is a process that is far simpler to perform in one direction than the other: calculating the hash of a card number should be easy; finding the card number that corresponds to a given hash value should be hard. Commonly used hashing algorithms include MD5 (Message Digest-5), SHA-2, SHA-256, or CRC32.The MD5 hash function, for instance, encodes the data into a 128-bit fingerprint. Although MD5 is one of the most commonly used algorithms, it\u2019s infamous for its hash collision vulnerabilities. A hash collision occurs when two different inputs to a hash function (card numbers or documents, say) produce the same hash result.Hash collisions can be found by brute force, trying all possible inputs, but flaws in some hashing algorithms mean shortcuts can be used to find collisions. It\u2019s still time-consuming, but hackers have done it in the past and can do it again.A card number with six digits masked means 1 million combinations (10^6) must be tried to find the true card number. That, Rajaharia said, is not hard to crack: \u201cA simple program run on your personal computer can generate 1 million combinations in minutes.\u201dAll the hacker has to do then, he said, is match the computer-generated hash value to the card fingerprint. \u201cOnce you\u2019ve matched the hash value to the fingerprint, you get the complete card number.\u201dEven the SHA-1 algorithm, once considered uncrackable, was shattered by Google in 2017. Since then, easier and more practical ways around it have been devised by hackers. Rajshekhar Rajaharia\u201cIf the hash values of the cards are cracked, even two years from now, all this data can be leaked on the dark web.\u201d\u2013 Rajshekhar Rajaharia, cybersecurity researcherJuspay could maintain that the hashing algorithm it uses is confidential information and hackers wouldn\u2019t know it. But all it takes is one careless or disgruntled employee to disclose this information to the bad guys.\u201cThe biggest risk factor is that there\u2019s the whole data dump available on a public domain and that information of customers including names, customer IDs, banking details, and most importantly hashed card numbers can be accessed by hackers,\u201d said Rajaharia. \u201cIf the hash values of the cards are cracked, even two years from now, all this data can be leaked on the dark web.\u201dKoushik Sivaraman, threat research lead at CloudSEK, also warned that older hashes like MD5 and SHA-1 can be hacked: \u201cWith decent computing power, hackers could crack MD5 hash types within a week.\u201d However, major payment processing firms \u2014 especially those that store customers\u2019 credit card information \u2014 use SHA-256, a member of the SHA-2 family of cryptographic hash functions, he said. \u201cHackers would need immense computing power to crack data encoded in SHA-256. But then, if they somehow get access to the encrypted card numbers, they could probably do it.\u201dAlthough SHA-256 is harder to crack, that can also deter companies from using it: \u201cAs the data has to be decrypted every time, the access time really scales up. This impacts user functionality,\u201d Sivaraman said.Although Reserve Bank of India\u2019s (RBI\u2019s) mandate for payment aggregators and payment gateways instructs companies to implement data security standards and best practices like PCI-DSS, PA-DSS, and latest encryption standards, it doesn\u2019t specifically mandate SHA-256. And the PCI-DSS requirement 4.1 advises against the use of SHA-1, but doesn\u2019t prohibit it.The road ahead \u2014 for Juspay and Indian fintechJuspay has advised its merchant partners to refresh their API keys and invalidate the old keys. The payment company will also be discontinuing access key-based automation and switch to role-based access controls that use temporary security credentials.In addition, the company has committed to tighten internal access control protocols, invest in enhanced threat monitoring tools, and engage with threat intelligence experts.The Juspay data breach incident is a learning opportunity not just for the company itself, but for the digital payments industry as a whole.Saurabh Sharma, senior security researcher at Kaspersky (APAC), said companies tend to overlook internal vulnerabilities. \u201cThis can prove to be very damaging to their reputation and business if exploited by the bad guys,\u201d he says.Among best practices companies can adopt, Sharma suggested ongoing network and server evaluations, proactively detecting zero-day vulnerabilities and further incentivizing bug bounty programs.