Hackers claim to have found vulnerability in BHIM app; NPCI denies data compromise 

It claimed that "a massive amount of incredibly sensitive financial data connected to the BHIM mobile payment app was exposed to the public".

Published: 01st June 2020 07:47 PM  |   Last Updated: 01st June 2020 07:47 PM   |  A+A-

BHIM App | Wikimedia Commons


MUMBAI: A group of ethical hackers on Monday claimed to have discovered a vulnerability affecting millions using the BHIM app, a claim which was denied by NPCI that operates the small value payments application.

Vpnmentor, which claimed to be the largest virtual private networks review website offering a research lab that helps the online community defend itself against cyber threats, alleged that there has been "data leak" discovered in the payments app.

"The developers of the CSC/BHIM website could have easily avoided exposing user data if they had taken some basic security measures to protect the data," it said.

It claimed that "a massive amount of incredibly sensitive financial data connected to the BHIM mobile payment app was exposed to the public".

Parts of data were being stored "on a misconfigured Amazon Web Services S3 bucket and was publicly accessible", it said.

"The scale of the exposed data is extraordinary, affecting millions of people all over India and exposing them to potentially devastating fraud, theft, and attack from hackers and cybercriminals," it said.

In their study, cybersecurity researchers Noam Rotem and Ran Locar said exposure of BHIM user data is akin to a hacker gaining access to the entire data infrastructure of a bank, along with millions of its users' account information.

"Having such sensitive financial data in the public domain or the hands of criminal hackers would make it incredibly easy to trick, defraud, and steal from the people exposed," they said.

"We would like to clarify that there has been no data compromise at BHIM App and request everyone to not fall prey to such speculations," a statement from state-run National Payments Corporation of India said.

It added that the body follows a high level of security and an integrated approach to protect its infrastructure and continue to provide a robust payments ecosystem.


Disclaimer : We respect your thoughts and views! But we need to be judicious while moderating your comments. All the comments will be moderated by the editorial. Abstain from posting comments that are obscene, defamatory or inflammatory, and do not indulge in personal attacks. Try to avoid outside hyperlinks inside the comment. Help us delete comments that do not follow these guidelines.

The views expressed in comments published on are those of the comment writers alone. They do not represent the views or opinions of or its staff, nor do they represent the views or opinions of The New Indian Express Group, or any entity of, or affiliated with, The New Indian Express Group. reserves the right to take any or all comments down at any time.

flipboard facebook twitter whatsapp