Paay Exposed Millions of Credit Card Transactions. What Should Users Do?

Online service providers simply can't keep up with the large volumes of data they need to process. Configuration mistakes are all too common and they lead to the exposure of information on a daily basis. Security researchers spend the better part of their days looking for open databases that hold personal data, and some of their discoveries are far more disconcerting than others. For example, when Anurag Sen, a security expert, found around 2.5 million records hosted on a server that was accessible from anywhere in the world and was not protected by a password, he knew that immediate actions must be taken to secure the data.

The database belonged to Paay, a payment processor, and behind the 2.5 million records, there were 2.5 million credit card transactions. Sen got in touch with TechCrunch's Zack Whittaker, who confirmed the source of the data and said that the leak exposed plaintext credit card numbers, expiration dates, and the amount spent during each transaction.

Yet another online company misconfigures its database and leaks information

Whittaker got in touch with Paay, notified them about the breach, and asked what had happened exactly. Yitz Mendlowitz, one of the payment processor's co-founders, told Whittaker that Paay's IT team put up the server on April 3 when they were in the middle of deprecating one of the services the platform offers. Due to "an error," information on transactions dating back to September 1, 2019 was left without a password. Shortly after it got the notification, Paay secured the data, but by the time it learned about it, it had already been online for close to three weeks, which is an awful lot of time in this day and age.

It should come as no consolation that Paay is far from the only service provider that has leaked data due to a configuration error. In fact, you could argue that instead of organizing sophisticated attacks on specific targets, the cybercriminals that want to get their hands on some sensitive information are much better off firing up one of the specialized search engines that can identify poorly configured databases. But what sort of damage could they have done with the information leaked by Paay?

The range of the leaked data was limited

At first, Paay tried to deny the presence of full, plaintext credit card numbers in the leaked database. Yitz Mendlowitz initially said that the platform doesn't store card numbers because it has "no use for them." When Zack Whittaker presented evidence that the card numbers were, in fact, leaked, however, Mendlowitz failed to respond.

The presence of full card numbers is definitely worrying, but the fact of the matter is, details like the cardholder's name and the CVV code are missing, which means that crooks armed with the data would have had a hard time processing any fraudulent transactions.

Nevertheless, affected people must be a bit more careful. Some card issuers won't replace the credit card without any evidence of misuse, which means that users who have made payments through Paay over the last six months must pay closer attention to their bank statements. As you can see, companies often don't realize that they are exposing sensitive information, so even if you're not affected by Paay's data leak, you should still check your balance regularly and report any fraudulent activity immediately.