India's Central Bank Domain Registry Leaks Sensitive Bank Employee Data
The sole registrar for India's mandated .bank.in domains allegedly exposed an API, leaking credentials and personal information of thousands of bank employees, undermining the initiative's security goals.
In an effort to bolster trust and combat phishing, India's central bank, the Reserve Bank of India (RBI), mandated in 2025 that all local banks adopt the .bank.in subdomain for their official online presences. This initiative aimed to create a more secure and recognizable digital footprint for financial institutions across the country, making it harder for malicious actors to impersonate legitimate banks.
However, the implementation of this security measure has been marred by a significant data leak. The Institute for Development and Research in Banking Technology (IDRBT), designated as the exclusive registrar for the .bank.in namespace, is accused of exposing its REST API through numerous unauthenticated endpoints. This alleged oversight allowed unauthorized access to sensitive information pertaining to bank employees.
A security researcher, operating under the pseudonym "Srikanth L" and advocating for a cashless society through the "CashlessConsumer" group, detailed the findings. The researcher claims that the IDRBT Domain Registration Portal (registrar.idrbt.ac.in) exposed bcrypt password hashes, mobile numbers, email addresses, login IP addresses, and device fingerprints belonging to all 5,576 bank employees entrusted with managing India's banking domains.
Further compounding the security concerns, the researcher also discovered that a substantial portion of the registered .bank.in domains lacked fundamental security configurations. Approximately 80 percent of these domains were found to be without DNSSEC, a critical security extension for DNS, while 40 percent failed to implement DMARC, an email authentication protocol designed to prevent spoofing and phishing. Many domains were also secured with basic, free Let's Encrypt certificates, potentially offering a lower level of assurance.
The allegations extend to the portal's development and operational lifecycle. The researcher's report suggests that the portal went live without a proper security audit and operated with insecure APIs for a period of 13 months. This prolonged period of vulnerability could have provided ample opportunity for malicious actors to discover and exploit the exposed data.
Following the disclosure of these findings in early June, the IDRBT has reportedly addressed the security flaws, patching the exposed API endpoints. The researcher also made some of the accessed information public via a GitHub repository, aiming to inform other security researchers about the extent of vulnerabilities within India's banking infrastructure.
The potential impact of this data leak is significant. The exposed credentials and personal information could be leveraged by attackers for various malicious activities, including sophisticated phishing campaigns, account takeovers, and potentially even DNS spoofing attacks, ironically undermining the very security objectives the .bank.in initiative was designed to achieve.
As of the report's publication, neither the IDRBT, the Reserve Bank of India, nor the Indian government had issued a public statement regarding the alleged data leak and the subsequent security lapse.