Iranian finance/tech manager publishes 3,000,000 bank accounts' details and PINs

A finance technology manager named Khosrow Zarefarid discovered a critical flaw in Iran's online banking systems. He extracted 1,000 account details (including card numbers and PINs) and emailed them to the CEOs of 22 Iranian banks along with detailed information about the vulnerability. A year later, nothing had been done. Zarefarid extracted 3 million accounts' details from the bank's systems and posted them to Many Iranian banks have now frozen their customers' accounts and are only allowing PIN-change transactions at ATMs. Some banks have texted their customers to warn them of the breach. The Central Bank of Iran has published an official notice of the breach, but the notice does not say that the underlying vulnerability has been fixed, or even whether it is being addressed. Zarefarid is said to have left Iran, though his whereabouts are not known, at least to Emil Protalinski, who wrote about the breach for ZDNet:

It does not appear as if Zarefarid stole money from the accounts; he merely dumped the account details of around 3 million individuals, including card numbers and PINs, on his blog: I found the link via his Facebook account, along with the question “Is your bank card between thease 3000000 cards?”

...Zarefarid previously worked as a manager at a company called Eniak, which operates the Shetab (Interbank Information Transfer Network) system, an electronic banking clearance and automated payments system used in Iran. The company also manufactures and installs point of sale (POS) devices. In other words, Zarefarid worked for a firm that offered services to Iranian banks for accepting electronic payments.

Update: In a post to the ircard blog, Zarefarid clarifies what he has done, and claims he is not a "hacker." (via "Khosrow Zarefarid, in the comments)

3 million bank accounts hacked in Iran (via /.)


  1. I get that security flaws need to be revealed and fixed, but I really have a big problem in distributing innocent customers’ information like that. The security flaw isn’t their doing. If anything, he should have gotten the information of all the bank executives and IT heads who ignored his discovery and published only those.  Leave the customers out of it.

    1. Well, what he DID do was guarantee the issue would be dealt with, and in a manner that no customers would lose money from the exploitation of the issue.

      Unfortunately, they can’t get at their own money though.

  2. If only the people of Iran had a value transfer system they could use that was not dependent on centralized institutions, they could avoid the pain of having their personal info compromised. Too bad nobody invented p2p money based on a cryptographically secured public ledger or something like that.

  3. If that happened here, I’d be storming the doors of my bank, and if it happened in America there’d be a class-action suit the likes of which even God has never seen. 

    It’ll be interesting to watch how this plays out.  I expect the banks to paint Zarefarid as a hax villain, to divert all the blame onto his made-up elite skillz, and also to not fix a damn thing. Unless threatened with bottom-line impact or boardroom jail time, corps don’t move.

Comments are closed.