Mobile payment app BHIM has suffered a data breach, affecting personal records of over 7 million users in India, according to a report by Israeli cybersecurity website vpnMentor.

The 409-gigabyte data leak included personal identifiable information such as Aadhaar card details, caste certificates, residence proof, bank records, along with a complete profile of individuals, the report said.

According to vpnMentor’s findings, the BHIM website was being used in a campaign to sign up users and business merchants to the app of which some related data was being stored on a “misconfigured Amazon Web Services S3 bucket and was publicly accessible”. The S3 bucket contained records from February 2019, as per the report.

To simplify, S3 buckets are a form of cloud storage but require developers to set up the security protocols on their accounts.