India's official .bank.in domain registry exposed password hashes and mobile numbers for 5,576 bank employees. The vulnerability persisted for 13 months, featuring 1,072 "Super Admin" accounts without active owners, all launched without a security audit. This means critical infrastructure mandated by the RBI went live with easily preventable, glaring security flaws.
The Reserve Bank of India launched the .bank.in domain suffix in February 2025 as a digital trust marker for official bank websites. However, independent researcher Srikanth L discovered the portal handling these registrations had been compromising sensitive data since launch.
While CERT-In patched the vulnerabilities within 17 days of Srikanth L's report, the RBI now faces scrutiny on its due diligence for critical digital infrastructure. Expect a push for accountability regarding why this prolonged data exposure was not identified internally.
🇮🇳 Why This Matters for India
For FinTech founders building payment gateways or banking infrastructure in Mumbai and Bangalore, this incident highlights the constant, severe regulatory security risks.
The Take
The core issue here is RBI's institutional failure to launch a critical public trust system without any prior security audits or public tenders. This will force a serious conversation around accountability and mandatory independent security reviews for all future government-backed digital infrastructure.
Source:  MediaNama ↗