Around 250 of these apps used the Razorpay API for processing financial transactions. Around 10 (5%) of these apps exposed the payment integration key ID and key secret. The API key is a combination of a key secret and a key ID. Both are needed to make an API request to the payment service provider. In this case, developers accidentally embedded the API keys in their source code which led to this issue, CloudSEK researchers noted in their blog post authored by Arshit Jain and Sai Ahladini Tripathy
https://t.co/CDQXY6Leho