RBI's .bank.in registry leaked data of 5,576 bank staff

Key Takeaways

• IDRBT's domain registration portal exposed 33+ unauthenticated API endpoints for 13 months
• Attackers could access bcrypt password hashes, mobile numbers, emails, and login IPs of 5,576 bank employees
• 80% of registered .bank.in domains lack DNSSEC; 40% don't use DMARC email security

The Reserve Bank of India mandated the .bank.in subdomain in 2025 to help customers distinguish real bank websites from phishing clones. The idea was simple: only verified banks could register, and the namespace would become a trust signal. Now a security researcher has alleged the registry itself leaked sensitive credentials of thousands of bank employees through open APIs, potentially enabling the exact attacks the system was built to prevent.

What data was exposed?

According to a report published by CashlessConsumer, a digital payments advocacy group, the IDRBT Domain Registration Portal at registrar.idrbt.ac.in exposed 33 or more REST API endpoints without authentication. The researcher behind the report, known as Srikanth L, claims anyone with curl could retrieve bcrypt password hashes, mobile numbers, email addresses, login IPs, and device fingerprints for all 5,576 bank employees authorized to manage .bank.in domains.

IDRBT, the Institute for Development and Research in Banking Technology, is the RBI's technology research arm. It has operated for 28 years and was selected as the exclusive registrar for India's new banking namespace. The portal allegedly went live without a security audit and ran with insecure APIs for 13 months before the issues were disclosed.

Why this matters for phishing attacks

The exposed data is a social engineering goldmine. An attacker with access to a bank official's name, email, phone number, and login IP can craft highly targeted spear-phishing campaigns. Worse, the bcrypt password hashes, while computationally expensive to crack, still represent a risk if any bank employees reused passwords across systems.

The irony here is sharp. The .bank.in initiative was designed to combat phishing. RBI's stated goal was to let customers "easily identify legitimate bank websites." Instead, the registry may have handed attackers verified contact information for the people who manage those domains.

Srikanth L's research also found troubling patterns in how banks configured their domains. Around 80 percent of registered .bank.in domains don't use DNSSEC, the protocol that prevents DNS spoofing attacks. About 40 percent lack DMARC, which verifies sender identity for emails. Some Indian banks host their websites on shared servers in the United States, Singapore, and Lithuania. Many domains are secured only with free Let's Encrypt certificates.

Has IDRBT fixed the problem?

Srikanth L says he disclosed his findings in early June 2026, and IDRBT has since fixed the open API endpoints. But the damage window stretched 13 months. There's no way to know if threat actors accessed the same data during that period.

The researcher also published a GitHub repository listing information found through the portal's APIs. His stated goal is to help security researchers understand the extent of Indian banking infrastructure. That data is now public, which may assist defenders but also provides a roadmap for attackers.

At the time of reporting, neither IDRBT, the Reserve Bank of India, nor the Indian government had issued a public statement on the matter.

India's banking fraud problem in context

India reported ₹10,319 crore (roughly $1.2 billion) in cyber fraud losses to the RBI in fiscal year 2023-24. CERT-In data shows over 13,000 phishing and vishing complaints related to banking fraud each month. India is home to more than 1,500 scheduled commercial and cooperative banks, all of which were required to register .bank.in domains.

The scale makes this more than an embarrassment. With thousands of banks and millions of customers, even a modest percentage of compromised accounts translates to significant financial harm.

What should affected banks do now?

Any bank that registered a .bank.in domain should assume the credentials of their domain administrators may be compromised. That means rotating passwords, enforcing multi-factor authentication if not already in place, and monitoring for suspicious login attempts. Banks should also review their DNS configurations to enable DNSSEC and implement DMARC policies.

For customers, the advice is unchanged: verify URLs carefully, watch for unsolicited communications claiming to be from your bank, and report suspicious activity.

Frequently Asked Questions

What is the .bank.in domain and why was it created?

The Reserve Bank of India created the .bank.in subdomain in 2025 to provide a trusted namespace for Indian banks. Only verified banks can register, making it easier for customers to identify legitimate bank websites and harder for phishers to create convincing fakes.

What data was exposed in the IDRBT API leak?

The exposed API endpoints allegedly allowed access to bcrypt password hashes, mobile numbers, email addresses, login IPs, and device fingerprints of 5,576 bank employees responsible for managing .bank.in domains.

How long was the IDRBT portal vulnerable?

According to the researcher's report, the portal operated with insecure, unauthenticated APIs for 13 months before the vulnerabilities were disclosed and fixed.

Has IDRBT or the RBI commented on the security breach?

As of June 30, 2026, neither IDRBT, the Reserve Bank of India, nor the Indian government had issued a public statement about the alleged security exposure.

Source: www.theregister.com