Bharatmatrimony.com is one of the most widely used online matchmaking sites in India. According to Cyble, an Atlanta-based cybersecurity firm, personal data from the matchmaking site were available for sale on the dark web. The matrimony company has stated that they are investigating into the matter and assured that there has been “no breach of its current active database of customers”.
According to the reports by Cyble, the leaked information include sensitive personal details like customer name, phone numbers, user IDs, and date and time of account creation. Data, adding up to about 1.7GB and belonging to thousands of customers, was for sale for as low as $500 in cryptocurrency, according to Cyble researchers.
After the events came to light, a spokesperson for Matrimony.com said, “We are aware of a security issue that has been reported to us recently. As per our investigation, there has been no breach of our current active database of customers. What has been reported belongs to an old database and no sensitive information has been compromised, as we continue to follow the highest order of industry encryption for our customers.”
“Security is a high priority focus area which is continuously monitored through technology advancements and interventions. We assure you that we remain 100% committed to it. We are still investigating and can’t confirm or deny an SQL vulnerability.”
BharatMatrimony is a part of Matrimony.cocm, founded by Murugavel Janakiraman in 2001. It is listed on both the National Stock Exchange and Bombay Stock Exchange. In view of the events coming to light, shares closed at 4.04% lower on the NSE on Thursday.
Clyde says that data from the company’s other internet property, Elitematrimony had also been breached. The CEO and founder of Clyde, Beenu Arora says, “The threat actor alleged to have exploited a SQL Injection vulnerability on their platform and leveraged that to extract their databases and user records. The actor is actively selling the database in various cybercrime forums for as low as $500.”
SQL or Structured Query Language is a programming language that developers use to interact with databases. It is using SQL that data is received or sent is interchanged between the user and the database. In SQL Injection Attacks, the attacker inserts malicious SQL statements into a field, which they can exploit to steal data from the website, and dump the data into their own server.
The firm said that the unnecessary and malicious parameter ‘themeid’ had been injected into one of the website’s URLs. The breach was identified and was brought to immediate notice of Matrimony.com. It is expected that they will take necessary actions to safeguard the data and prevent similar attacks in the future.