MUMBAI: A group of ethical hackers on Monday claimed to have discovered a vulnerability affecting millions using the BHIM app, a claim which was denied by NPCI that operates the small value payments application.

Vpnmentor, which claimed to be the largest virtual private networks review website offering a research lab that helps the online community defend itself against cyber threats, alleged that there has been "data leak" discovered in the payments app.

"The developers of the CSC/BHIM website could have easily avoided exposing user data if they had taken some basic security measures to protect the data," it said.

It claimed that "a massive amount of incredibly sensitive financial data connected to the BHIM mobile payment app was exposed to the public".

Parts of data were being stored "on a misconfigured Amazon Web Services S3 bucket and was publicly accessible", it said.

"The scale of the exposed data is extraordinary, affecting millions of people all over India and exposing them to potentially devastating fraud, theft, and attack from hackers and cybercriminals," it said.

In their study, cybersecurity researchers Noam Rotem and Ran Locar said exposure of BHIM user data is akin to a hacker gaining access to the entire data infrastructure of a bank, along with millions of its users' account information.

"Having such sensitive financial data in the public domain or the hands of criminal hackers would make it incredibly easy to trick, defraud, and steal from the people exposed," they said.

"We would like to clarify that there has been no data compromise at BHIM App and request everyone to not fall prey to such speculations," a statement from state-run National Payments Corporation of India said.

It added that the body follows a high level of security and an integrated approach to protect its infrastructure and continue to provide a robust payments ecosystem.