In a significant cybersecurity lapse, the RBI's ‘.bank.in’ domain registration system had multiple vulnerabilities for over a year, allowing unauthorized access to sensitive data of approximately 5,000 bank employees. This flaw could have enabled attackers to impersonate legitimate banking websites, undermining citizens’ trust in official digital channels.
- 5000 bank employees’ sensitive data exposed via unauthenticated APIs
- Vulnerabilities persisted in RBI’s .bank.in registry from Feb 2025 to mid-2026
- Potential for spoofed bank websites and phishing through compromised domains
What happened
In February 2025, the Reserve Bank of India introduced the ‘.bank.in’ domain suffix aimed at helping users instantly verify authentic banking websites. This new digital mark was intended to increase trust in online banking interactions by assuring users that websites with this domain belong to legitimate banks.
However, the IDRBT-operated domain registration portal responsible for managing these ‘.bank.in’ domains contained over 33 unauthenticated API endpoints. These endpoints exposed sensitive data of around 5,000 bank employees, including password hashes and login IP addresses, for 13 months until the issue was eventually fixed. This breach highlighted critical lapses in both development and security auditing processes of the system.
Why it matters
Although the compromised password hashes were protected using bcrypt hashing, which scrambles the original passwords, attackers with sufficient resources could potentially crack these hashes over time. Such access would allow malicious actors to hijack the accounts of bank employees responsible for domain management.
With control over these accounts, attackers could have issued fraudulent ‘.bank.in’ domains, redirect web traffic, or spoof legitimate banking websites. This scenario would turn the RBI’s trust-building measure into a tool for phishing, fraud, and social engineering attacks targeting millions of users relying on secure digital banking.
What to watch next
Following this incident, it is essential to monitor RBI’s and IDRBT’s actions toward strengthening security auditing, implementation of independent code reviews, and comprehensive penetration testing before rolling out critical digital infrastructure projects.
The incident also sets a precedent for regulatory bodies and banks to increase transparency and responsiveness regarding cybersecurity flaws that affect consumer trust and financial safety. Stakeholders should watch for updated security protocols and policies around digital identity markers within India’s banking ecosystem.