India's official .bank.in domain registry exposed password hashes and mobile numbers for 5,576 bank employees. The vulnerability persisted for 13 months, featuring 1,072 "Super Admin" accounts without active owners, all launched without a security audit. This means critical infrastructure mandated by the RBI went live with easily preventable, glaring security flaws.
How We Got Here
The Reserve Bank of India launched the .bank.in domain suffix in February 2025 as a digital trust marker for official bank websites. However, independent researcher Srikanth L discovered the portal handling these registrations had been compromising sensitive data since launch.
The Numbers
- 33+ unauthenticated API endpoints were publicly accessible on the IDRBT portal managing .bank.in domains.
- The exposed data included bcrypt password hashes, mobile numbers, and login IPs for all 5,576 affected bank employees.
- Private vendor IKCON Technologies held 22 employee accounts on the portal, three of which had global "Super Admin" access.
- Srikanth L reported the vulnerabilities to CERT-In, which fixed the issue within 17 days of notification.
- There were zero public tenders or consultations conducted for the development of the crucial .bank.in portal.
What Happens Next
🇮🇳 Why This Matters for India
For FinTech founders building payment gateways or banking infrastructure in Mumbai and Bangalore, this incident highlights the constant, severe regulatory security risks.
The Take
The core issue here is RBI's institutional failure to launch a critical public trust system without any prior security audits or public tenders. This will force a serious conversation around accountability and mandatory independent security reviews for all future government-backed digital infrastructure.
Source:
MediaNama ↗