A database belonging to the Indian local search service JustDial was left online without protection exposing personal data of over 100M users.

The archive is still leaking personally identifiable information of more than JustDial customers that are accessing the service via its website, mobile app, or even by calling on the customer care number (“88888 88888”).

The news was first reported by The Hacker News that independently verified the authenticity of the story.

JustDial is the largest and oldest search engine in India that allows its users to find vendors of various products and services.

The independent researcher Rajshekhar Rajaharia discovered how an unprotected, publicly accessible API endpoint of JustDial’s database can be accessed by anyone.



The leaked data includes username, email, mobile number, address, gender, date of birth, photo, occupation, company name and other.

According to the expert, data remained exposed since at least mid-2015 through unprotected API, at the time it is not clear if anyone had accessed the huge trove of data.

Experts at THN provided Rajshekhar a new phone number that was never before registered with Justdial server, then used it to contact the JustDial service and request information on restaurants, The service created a profile and associated it with the number provided by THN. Rajshekhar was able to access the profile a circumstance that confirmed that expose DB was the one associated with production systems.



“Although the unprotected API is connected to the primary JD database, Rajshekhar revealed that it’s an old API endpoint which is not currently being used by the company but left forgotten on the server.” reads the post published by THN.

Rajshekhar discovered this unprotected end-point while conducting a penetration test on the latest APIs, which are apparently protected.

Rajshekhar also found other issued associated with old unprotected APIs, one of them could be exploited by anyone to trigger OPT request for any registered phone number making possible to spam users.

Rajshekhar attempted to report the issues to the company but without success.

Pierluigi Paganini

(SecurityAffairs – hacking, JustDial)

Share this...

Linkedin Reddit Pinterest

Share On