Hackers exploited the authorization & authentication process of Razorpay's payment gateway to exfiltrate over 70 million...

Continue reading
Razorpay, a Bengaluru-based fintech unicorn startup, filed a complaint at cybercrime police against theft of a staggering ₹7.3 Cr.
According to the lawsuit submitted by Razorpay, this online theft was found following the auditing of the business's transactions, particularly when company officials were unable to match receipts of ₹7,38,36,192 with 831 transactions that occurred during the last three months.
Abhishek Abhinav Anand, the head of legal issues and law enforcement at Razorpay, submitted a complaint on May 16 and presented the Bangaluru Police with the specifics of 831 unsuccessful transactions, including the date, time, and IP address, among other pertinent information.
While an internal investigation was conducted by Razorpay Software Private Limited with the assistance of the Cybercrime division based on the provided details of the failed transactions, including date, time, IP address, and other pertinent information to the police, as the 'authorization and authentication process' had been compromised by the hacker(s). As a result, Razorpay received bogus 'approvals' for the 831 unsuccessful transactions, resulting in a loss of ₹7,383,61,192.
During a typical payment procedure, an unauthorized actor(s) with malicious intent manipulated authorization data on a few merchant sites utilizing an earlier version of Razorpay's integration owing to weaknesses in their payment verification process, according to a Razorpay spokeswoman. No end-users, merchant data, or merchant payments were compromised by this event."
The firm claims to have taken measures to permanently minimize the issue and prevent future recurrence. It also claims to have recovered a portion of the stolen funds and is collaborating with the appropriate authorities to complete the process.
The eight-year-old fintech unicorn promises to facilitate digital payments for more than two hundred thousand enterprises, such as Airtel, IRCTC, NSE, Swiggy, etc. The likelihood of 'false' permission weakens the company's security system due to the reliance of large-scale businesses on the network and its payment authorization method.

U.S. Army recruiting pages hijacked to display fake 404 errors reading ‘Kurdistan’, exploiting a third-party tool and exposing .mil web security gaps.