logo

India’s central bank mandated use of .bank domains to enhance trust – but its registry leaked sensitive info

ID: 89a0a00c-247a-5350-a739-9d5b79259947

STIX ID: report--89a0a00c-247a-5350-a739-9d5b79259947

Feed Name: The Register (Security)

Threat Score
70/100

Date Published: 2026-06-30

Date Updated: 2026-07-02

...
...

A security researcher reported that the Institute for Development and Research in Banking Technology (IDRBT), the sole registrar for India’s .bank.in namespace, exposed an open REST API with 33+ unauthenticated endpoints that allegedly allowed access to bcrypt password hashes, mobile numbers, email addresses, login IPs and device fingerprints for roughly 5,576 bank employees; the researcher claims many .bank.in domains lack DNSSEC/DMARC and that the portal ran without proper security audits for about 13 months before the issues were fixed following disclosure.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.