Threat researcher’s complaint reveals the central bank’s portal leaked credentials, contact details, and device fingerprints amid audit gaps and weak protections.
According to a news report by The Register, India’s central bank had created the .bank.in subdomain in 2025 and told domestic banks to adopt it for their online services, a move meant to make fraudulent lookalike sites harder to use for phishing.
That trust-building effort is now under scrutiny after a security researcher said the system’s sole registrar, the Institute for Development and Research in Banking Technology (IDRBT), mishandled the domain-registration portal and exposed sensitive information.
The allegation was detailed in a report and in a post by CashlessConsumer, a group that promotes cashless payments and says it advocates on behalf of citizens in India’s digital-payments ecosystem.
According to the complaint, the IDRBT registration portal exposed its REST API through more than 30 unauthenticated endpoints, allowing anyone with basic tools to pull bcrypt password hashes, mobile numbers, email addresses, login IPs, and device fingerprints tied to thousands of bank employees involved in managing the country’s banking domains.
The researcher, identified as “Srikanth L”, also said the data showed some banks hosting websites on shared servers in the United States, Singapore, and Lithuania, while a large share of registered .bank.in domains lacked DNSSEC and DMARC protections and many relied on free Let’s Encrypt certificates. The post also alleged that the official portal had gone ‘live’ without a proper security audit without secure APIs for 13 months.
Srikanth L said he reported the issue in early June, and that IDRBT has since addressed the most serious security problems. As of the article’s publication, IDRBT, the Reserve Bank of India, and the Indian government had not publicly commented on the findings. Experts note that the slow response from the authorities underscores a familiar accountability gap: when trust infrastructure fails, any deafening silence from the authorities can deepen the damage and erode public confidence further.
