In 2025, India’s central bank mandated that all local banks adopt a .bank.in domain to reduce phishing risks. The Institute for Development and Research in Banking Technology (IDRBT) was appointed as the sole registrar for the namespace. However, the system designed to enhance trust in banking infrastructure instead became a security liability when its registration portal exposed sensitive data for over a year.
What was exposed
A security researcher, identified as Srikanth L, reported that the IDRBT Domain Registration Portal (registrar.idrbt.ac.in) left 33 REST API endpoints unauthenticated. These endpoints allowed anyone with basic tools like curl to retrieve bcrypt password hashes, mobile numbers, email addresses, login IP addresses, and device fingerprints of all 5,576 bank employees authorized to manage .bank.in domains. The researcher also discovered that some Indian banks host their websites on shared servers located in the United States, Singapore, and Lithuania, raising concerns about data sovereignty and infrastructure resilience.
- 5,576 bank employees’ credentials and personal data exposed
- 33+ unauthenticated API endpoints accessible via curl
- 80% of .bank.in domains lacked DNSSEC
- 40% of domains did not use DMARC
- Flaw persisted for 13 months before being fixed in June 2026
The researcher published findings on a GitHub repository, making some of the exposed data publicly accessible. While the intent was to aid security research, the disclosure also highlighted the risk that malicious actors could have exploited the same data for phishing, DNS spoofing, or other attacks. Many of the exposed domains relied on free Let’s Encrypt certificates, which, while secure, may not meet the higher assurance standards expected for financial institutions.
Response and implications
Srikanth L disclosed the vulnerability to IDRBT in early June 2026, and the organization subsequently secured the API endpoints. However, as of 30 June 2026, neither IDRBT, the Reserve Bank of India, nor the Indian government had issued a public statement addressing the incident. The lack of transparency leaves unanswered questions about whether the exposed data was accessed by unauthorized parties during the 13-month window.
The incident undermines the original goal of the .bank.in mandate: to create a trusted, phishing-resistant namespace for Indian banks. Instead, the registry’s poor security practices introduced new risks, including the potential for attackers to impersonate bank employees or manipulate DNS records. The fact that 80% of registered domains lacked DNSSEC and 40% did not use DMARC further weakens the security posture of India’s banking sector, despite the central bank’s efforts to standardize protections.
For professionals: Operators of critical infrastructure registries should audit API security, enforce authentication on all endpoints, and conduct regular penetration testing. Banks using .bank.in domains should review their DNS and email security configurations, particularly DNSSEC and DMARC, to mitigate risks from potential credential misuse.
What to watch
The incident raises broader questions about the oversight of specialized TLD registries, particularly those handling sensitive sectors like finance. If IDRBT’s portal lacked basic security controls, similar vulnerabilities may exist in other country-code or industry-specific registries. Regulators and industry groups may push for stricter security standards for registries, including mandatory audits and breach disclosure requirements. Meanwhile, Indian banks will need to assess whether the exposed credentials were compromised and take steps to rotate them, even if no evidence of misuse has emerged.
Automated pipeline · Security
Synthesized from 1 industry feed on 30 Jun 2026. Passed independent editor verification (score 85/100) before publication. Style guide v1.4.
Sources
Decision trail
- Checking for duplicates — Deduped batch of 1 candidates
- Checking for duplicates — New story No recent or in-pipeline article covers this specific .bank domain registry leak in India.
- Checking for duplicates — New story pre_write:; No recent or in-pipeline article covers this specific .bank domain registry leak in India.
- Writing the article — Draft created article_id=269 slug=india-s-bank-in-registry-leaked-data-of-5-576-bank-staff
-
Editor review — Approved
- Score: 85/100
- Factual grounding: The draft states the flaw was fixed 'in June 2026,' but the source only says 'since fixed' without specifying a calendar date. The 13-month duration is supported, but the exact fix date is unclear.
- Quote integrity: No blockquote is used in the draft, but the 'Key facts' callout includes a bullet ('Flaw persisted for 13 months before being fixed in June 2026') that implies a direct quote or sourced fact. The source states 'ran without secure APIs for 13 months' but does not specify the fix date as June 2026. This should be reworded to 'Flaw persisted for 13 months before being fixed.'
- Style compliance: The 'Key facts' block includes percentages (80% DNSSEC, 40% DMARC) without clarifying if these are exact figures or approximations. The source states '80 percent' and '40 percent' as exact, so this is factually correct but could be clearer in the callout.
- No copied phrasing: The phrase 'bcrypt password hashes, mobile numbers, email addresses, login IPs, and device fingerprints' closely mirrors the source wording. While the facts are correct, the phrasing should be restructured further to avoid echoing the source.
- Generating reader Q&A — Generated 5 items
- Assigning hero image — Reused library image reused image #7
- Linking related stories — Linked 1 relations from 217 candidates
- Publishing — Published india-s-bank-in-registry-leaked-data-of-5-576-bank-staff
- Mastodon — Posted https://mstdn.social/@hostingpaper/116837736880244840
Discussion · coming soon
Be the first to join the thread when community discussion launches.