Indian Fintech Start-up, Slice Pay, Suffers Massive Data Breach – Personal Details of over 21,000 Students Leaked

 Indian tech-based companies have been under the sharp focus of cybercriminals for a variety of reasons such as inadequate security measures, speed vs control etc.
On this instance, Cyble’s researchers identified an actor who was selling 56GB of data, comprising of 21,000+ students Aadhar Card, their university IDs, their photo and full Signature with other details. The breach allegedly is attributed to a FinTech company, Slicepay.
Since Cyble has seen a variety of massive data breaches where 100,000s of IDs were leaked, we would have ideally skipped it, until we saw the keyword “Signatures“. Some of the other information included in the leak were – name, phone, email, aadharNumber, DateOfBirth, Gender, Full Address, College, Course, GraduationDate, Friend’s name, Friends’ number
About Slice Pay: slice (prev SlicePay) is a Fintech startup focused on Young India. They are building a transparent and less time-consuming financial platform to enhance the life experience for young Indians.
The company has raised over $27M by investors such as Gunosy, FINUP, Das Capital, Blume Ventures and others. The company acquired Trustio in 2017.
Below is the original post by the actor.

Cyble researchers decided to acquire the data and further validate the legitimacy of it.
Upon the data acquisition, the claim of the actors was verified to be legit –

Per the actor, the breach occurred due to an exposed Cloudinary bucket (cloud-based image and video management services).

Based on the leaked information, and per the actor claims, it appears the breach occurred in July 2020. Cyble has indexed the leaked data on its data breach monitoring and notification platform, AmIbreached.com.