In 2025, the Reserve Bank of India created the .bank.in subdomain and required all local banks to start using it for their online presences. Indian is home to thousands of banks and the new rule meant all needed to register for and use a bankname.bank.in domain, a move designed to make life harder for phishers and fraudsters.

Now a security researcher has alleged that the entity chosen as the sole registrar of the subdomains – the Institute for Development and Research in Banking Technology (IDRBT) – botched the job and leaked sensitive data.

The allegation came in a report [PDF] and post published yesterday by CashlessConsumer, a group that advocates for India to become a cashless society and which aims to represent citizens to digital payments players.

“The IDRBT Domain Registration Portal (registrar.idrbt.ac.in) – the exclusive registrar for India’s .bank.in namespace – exposed its entire REST API via 33+ unauthenticated endpoints,” the post alleges. “Anyone with curl could retrieve the bcrypt password hashes, mobile numbers, email addresses, login IPs, and device fingerprints of all 5,576 bank employees trusted with managing India’s banking domains.”

The researcher behind the exposé, “Srikanth L”, says he accessed info through the portal and found evidence that some India banks host websites on shared servers in the United States, Singapore, and Lithuania. He also found 80 percent of registered .bank.in domains don’t use DNSSEC, 40 percent don’t employ the DMARC email security protocol that verifies senders’ identity, and many domains are secured with free Let’s Encrypt certificates.

The researcher’s post also alleges that the portal went live without a proper security audit and ran without secure APIs for 13 months.

Srikanth L disclosed his findings in early June and says IDRBT has since fixed the gaping security flaws. The researcher also appears to have used a GitHub repo to list info found by accessing the portal’s APIs – so some of the info available over the previously-open API is now public – and claimed doing so will help security researchers by letting them understand the extent of Indian banking infrastructure.

That knowledge may come in handy given the open API means attackers may have been able to access and use credentials of senior bank staff, information that can enable many forms of attack  - even the DNS spoofing and phishing attacks the requirement to use .bank.in was designed to prevent.

At the time of writing, the IDRBT, Reserve Bank, and India’s government appear not to have made a public comment on the matter. ®