skip to main content

New York payments startup exposed millions of credit card numbers


A massive database storing millions of credit card transactions has been secured after spending close to three weeks exposed publicly to the internet.

The database belongs to Paay, a card payments processor based in New York. Like other payment processors, the company verifies payments on behalf of selling merchants, like online stores and other businesses, to prevent fraudulent transactions.

But because there was no password on the server, anyone could access the data inside.

“On April 3, we spun up a new instance on a service we are currently in the process of deprecating,” said Paay co-founder Yitz Mendlowitz. “An error was made that left that database exposed without a password.”

The database contained daily records of card transactions dating back to September 1, 2019 from a number of merchants. Each transaction contained the full plaintext credit card number, expiry date and the amount spent. The records also contained a partially masked copy of each credit card number. The data did not include cardholder names or card verification values, making it more difficult to use the credit card for fraud.


PAAY EMV 3DS - Schedule a Demo