5,576 bank employees — that is the number CashlessConsumer says had their credentials and contact details exposed through the registrar for India’s new .bank.in namespace.
Reserve Bank of India’s .bank.in mandate and its purpose
In 2025 the Reserve Bank of India created the .bank.in subdomain and required all local banks to register and begin using bankname.bank.in for their online presences. The policy aimed to make life harder for phishers and fraudsters by consolidating Indian banking web identities under a single, controlled namespace. India is home to thousands of banks, and the new rule meant all needed to register for and use a bankname.bank.in domain.
IDRBT was chosen as the exclusive registrar — and, according to a researcher, exposed its API
The Institute for Development and Research in Banking Technology (IDRBT) was selected as the exclusive registrar for India’s .bank.in namespace. A report and post published by CashlessConsumer yesterday alleges that the IDRBT Domain Registration Portal (registrar.idrbt.ac.in) “exposed its entire REST API via 33+ unauthenticated endpoints.” The post adds that “Anyone with curl could retrieve the bcrypt password hashes, mobile numbers, email addresses, login IPs, and device fingerprints of all 5,576 bank employees trusted with managing India’s banking domains.”
What the researcher, Srikanth L, says he discovered
The researcher behind the exposé, who identifies himself as “Srikanth L”, says he accessed information through the portal and found multiple operational security gaps. He reports that some Indian banks host websites on shared servers located in the United States, Singapore, and Lithuania. He also reports widespread shortcomings in domain and email security on the registered .bank.in domains: about 80 percent of the registered domains reportedly do not use DNSSEC, roughly 40 percent do not employ the DMARC email authentication protocol, and many domains are secured with free Let’s Encrypt TLS certificates rather than more controlled certificate practices.
Timeline: audit, disclosure, and remediation
CashlessConsumer’s post alleges the portal went live without a proper security audit and ran without secure APIs for 13 months. Srikanth L says he disclosed his findings in early June and that IDRBT has since fixed the security flaws the researcher reported. The researcher appears to have used a GitHub repository to list some of the data he retrieved via the portal’s APIs; as a result, some of the information that was previously available over the open API has been published publicly.
What this means for technologists, regulators, and bank customers
- Technologists and security teams: Teams responsible for the .bank.in rollout and for individual bank domains will need to verify credentials and contact data, re-evaluate hosting arrangements (including third-country shared hosting in the US, Singapore, and Lithuania), and prioritize deployment of DNSSEC and DMARC where absent.
- Policymakers and regulators: Regulators who imposed the .bank.in requirement may now face pressure to review procurement and audit processes used when appointing an exclusive registrar, and to require formal security assessments before domain registries go live.
- End users and bank customers: Customers whose banks transitioned to bankname.bank.in are affected indirectly; the researcher warns that exposed credentials and contact data could have enabled attackers to carry out DNS spoofing and phishing attacks — precisely the threats the .bank.in rule was meant to reduce.
At the time of writing, the IDRBT, the Reserve Bank of India, and India’s government appear not to have made a public comment on the allegations. The record presented by CashlessConsumer and Srikanth L raises a pointed, practical question for those overseeing the transition to a national .bank namespace: can a centralised trust mechanism deliver security improvements if the single point of registration itself is not subject to timely audits and hardened APIs? The researcher says the immediate gaps have been fixed; the longer-term test will be whether registries, banks, and regulators document changes, complete independent audits, and transparently restore confidence in the system.
