Dukaan E-commerce Data Leak Exposes Millions – Hackers Could Access Payment Keys

Dukaan E-commerce Data Leak Exposes Millions – Hackers Could Access Payment Keys

The Dukaan e-commerce data leak has exposed sensitive merchant and customer data for millions of users.
Security researchers discovered that a misconfigured Apache Kafka broker had streamed unprotected data for more than two years.
The breach affected Dukaan’s global platform, which hosts over 3.5 million merchants and serves nearly 16 million customers.

How the Breach Happened

The exposed Kafka instance lacked both authentication and proper access control.
Since August 2023, it transmitted more than 270,000 messages daily, including payment data and order details.
Researchers found authentication tokens linked to major payment gateways such as Stripe, PayPal, and RazorPay.
These tokens could have allowed attackers to access financial systems, modify orders, or perform fraudulent transactions.

Massive Security and Financial Risks

Experts warn that the Dukaan e-commerce data leak created ideal conditions for cybercriminals.
Attackers with access to the exposed keys could steal customer payment details or impersonate merchants.
They could also process fake refunds, extract funds, or target users through phishing campaigns.
Because the leak persisted for years, attackers may have already exploited the data without detection.

Impact on Merchants and Users

The leaked data included full customer names, phone numbers, and email addresses.
Hackers could use this information to launch identity theft, social engineering, or phishing attacks.
Merchants also risk financial losses, as exposed payment keys may lead to unauthorized transfers.
Security experts describe this as one of the most severe Indian e-commerce breaches of the year.

Discovery and Response

Cybersecurity researchers first detected the issue on August 27, 2025.
They promptly notified Dukaan and India’s Computer Emergency Response Team (CERT-In).
The broker was finally secured on October 8, closing more than two years of open exposure.
However, Dukaan has not yet issued an official public statement about the breach.

What Users Should Do

Security experts recommend immediate action:

  • Merchants should rotate all payment gateway credentials.
  • Customers should monitor bank accounts and credit cards for unusual activity.
  • Businesses using Dukaan should review access logs and network permissions.
  • All users should stay alert for phishing attempts using leaked data.

Conclusion

The Dukaan e-commerce data leak highlights the growing risks of cloud misconfiguration and poor authentication.
With millions of customers and merchants affected, the financial and reputational damage could be severe.
E-commerce platforms must enforce strict security controls — because one exposed server can compromise an entire ecosystem.

Siyana Georgieva

0 responses to “Dukaan E-commerce Data Leak Exposes Millions – Hackers Could Access Payment Keys”