Payments Startup Paay: A New York-based payments startup company left millions of credit card transaction records exposed on the Internet for everyone for about three weeks before securing it, according to a media report from Thursday (23rd April 2020).

Millions of credit card details of users left exposed for 3 weeks by a payments startup paay
Image Credit: Pexels
  • Security researcher Anurag Sen has found that the database belongs to Paay, a card payments processor company.
  • Soon after that, TechCrunch reported on the findings after alerting the company.
  • Paay pulled the database offline after they became aware of the problem.
  • "On April 3, we spun up a new instance on a service we are currently in the process of deprecating," Paay co-founder Yitz Mendlowitz quoted as saying.
  • According to Mendlowitz, it was due to an error that left the database exposed without a password.

Payments Startup Paay is a New-York based startup company offering frictionless e-commerce payment authentication that Protects merchants against fraudulent chargebacks and also qualifies transactions at a lower interchange rate. As there was no password on the server anyone could access that data.

TechCrunch reviewed a portion of the database and revealed that each record had credit card number and expiry date besides the amount spent, but the data neither include names of the cardholders nor the card verification values. So the exposure has not made it easier for the fraudsters to misuse it.

Later, Mendlowitz stated that his company does not store the card numbers.

During this time, when hackers and fraudsters are more prone to cash in their own pockets by befooling others, this kind of exposed credit card transaction records could have lead to a much bigger crisis.

Recently Google had also reported that in one week from 6th to 13th April 2020, they noticed about 18 million Covid-19 related malware and phishing email scams.


Also, Hackers are creating many such fake sites like Covid-19 tracker or Covid-19 relief packages. The scams are created using the news of the coronavirus financial incentives, and fears about the Covid-19. The websites try and trick people into using the websites or clicking on links.

According to Check Point Researchers, from January 2020 to April 1st week, a total of 4,305 domains relating to new relief/stimulus packages have been registered globally. In March 2,081 new domain registrations and till now in April 473 new domain registrations were done.

We need to beware of such frauds, for that only use official websites for any information and queries, don't get attracted to any fake messages claiming for relief funds or related Covid-19 traps.