Over 5 million user records from Yatra.com were breached, exposing usernames, passwords, PIN codes, phone numbers, and much more. This breach was uncovered by Have I Been Pwned (HIBP) on Thursday. HIBP is a highly trusted platform started by a Microsoft employee Troy Hunt, that lets you submit your email ID and alerts you if it shows up in any hacked databases.
It was first reported by breached database directory Vigilante.pw, and if you have an account with the site, it's a good idea to change your password. And if you re-use that password for other accounts, please stop doing that because it is not 1990 anymore.
HIBP tweeted that the breach occurred in 2013, but this doesn't seem to have been reported by Yatra to users at any point. HIBP pointed out that the breach exposed email and physical addresses, apart from phone numbers, PIN codes, dates of birth, and passwords stored as plaintext.
Typically, a password is stored in an encrypted manner, so that even if a database is breached, the hacker won't have immediate access to the passwords but in the case of the Yatra breach, your email ID and password combination were easily available. If you happen to use the same email and password combination on multiple websites, then it's safe to assume that those accounts have been compromised as well. In case you fall into that category, please start changing all your passwords, and better still, install a password manager.
Although there have been cases of data breaches in India, few companies have come forward and publicly addressed this. Last year, Zomato was hacked and 17 million user accounts compromised, although Zomato later said that the hacker had agreed to stop selling the user data, making a deal with the company instead. Soon after this, Zomato launched one of the few serious bug bounty programs in India, where companies pay researchers for exposing flaws in their security. This is a standard practice around the world, and helps to identify and remove weaknesses from systems, but in India most companies don't follow this practice.
Security researchers talked of big payouts from companies like Facebook and Uber, while being ignored at home. Even the few companies that do offer money, including Zomato, Ola, and Paytm, rarely acknowledged weaknesses, and security researchers said this hurts their credibility.