US fintech exposed 277 million records online
On July 6th Cyber Security Researcher Jeremiah Fowler discovered a publicly exposed database that contained a massive 277 million records that referenced financial transactions and internal logs.
Table of Contents
Upon further investigation, there were multiple references to Inswitch, a fintech company that provides technology for digital banking, digital wallets, issuing, processing, smart lending, and more. According to their website, they offer services in over 30 countries, including the United States, have more than 10 million transactions per hour, over 75 million users, and more than $9 billion USD in total payment value.
However, the IP address was issued an SSL certificate to Philadelphia-based Freedom Credit Union. According to their website, "Freedom Credit Union is a full-service financial institution that offers a banking alternative to consumers has over $1.1 Billion in assets and in excess of 70,000 members".
Many of the records were marked as production, but it appears this collection included logging events for all other environments such as development and testing.
The exposure included:
- internal users names,
- login and password references that could be used to bypass security
- and administrative credentials.
There were also references to what appeared to be customers or users in the form of
- ID numbers,
- issuing authority,
- phone number,
- and other potentially personally identifiable information.
We can only assume that this was some type of API or possibly managed network, and this could explain the references to Inswitch inside a database connected to Freedom Credit Union.
An API stands for application programming interface and serves as a connection between computers or programs. It is software that provides service, code, or functionality to other software.
Summary of the data leak:
- Total Size: 46.17 GB
- Total Number of Records: 277,457,493
- Logging records expose internal data that could potentially allow an attacker to access customer networks or bypass security credentials, including usernames and administrator passwords.
- The files also show where data is stored and a blueprint of how the network operates from the backend.
- Many files were marked "Production," and the database was at risk of a ransomware attack.
- Middleware or build information that could allow for a secondary path for malware. IP addresses, Ports, Pathways, and storage info that cybercriminals could exploit to access deeper into the network.
- The database also contained tokens and security information.
- This database was set to open and visible in any browser (publicly accessible), and anyone could edit, download, or even delete data without administrative credentials.
Example of exposed usernames:
Example of account data:
Weak passwords are a major risk:
The danger of capturing and storing logging records is that they can often record sensitive information in the process.
When any financial institution or fintech organization exposes internal records or customer data, it raises the risk of how cybercriminals could exploit vulnerabilities in the network or middleware that can be used as a backdoor. It also creates the possibility to target both internal employees and customers for social engineering attacks.
Encrypted or redacted passwords for internal users are still a risk. Bad actors can target users with a spoofed email or similar domain name and prompt users to update their passwords. Once the victim types their old password in the fraudulent message, the cybercriminals would have full access to any administrative privileges that the user would have. Using insider information found in the records would provide a position of trust and make the scam much more likely to succeed.
Many companies treat logging records like worthless analytics and either ignore them or aggregate them to see trends or other useful details. However, not taking the proper steps to secure this data can open a backdoor into the network and create an unwanted data breach.
Weak passwords are a nightmare waiting to happen. According to the 2020 Verizon Data Breach Investigations Report a massive 81% of data breaches occur because of stolen or weak passwords. In this discovery, I found a plain text password for a user listed as "Administer" that contained 1234, and it was very easy to guess the rest of the password based on the username.
As a security researcher, I often see exposed credentials, and unfortunately, they remain a critical vulnerability that is purely self-induced via weak security measures.
Legitimate researchers never bypass or access password-protected accounts. This is often where the most sensitive data is stored and where cybercriminals can cause the most damage.
Legally there is a patchwork of reporting requirements that is inconsistent from state to state, and the US does not have a uniform standard like the European Union's General Data Protection Regulation (GDPR). The law provides strict rules on data protection and privacy in the European Union and the European Economic Area.
On April 7th, 2021, Pennsylvania introduced a consumer data protection bill (HB 1126) modeled on the California Consumer Privacy Act. The Pennsylvania law allows financial penalties for data breaches involving nonencrypted and nonredacted personal information.
Consumers would be able to recover damages in the amount of not less than $100 and not greater than $750 per consumer per incident. The law also allows for the Pennsylvania Attorney General to bring civil actions for violations of the Consumer Data Privacy Act against businesses, service providers, and third parties and seek civil penalties up to $7,500 for each violation.
Cybersecurity is a complex web of data protection methods, tools, and actions, but when data is exposed, it is usually human error or actions. No matter how complex the technology we use to protect the data we collect and store, it's ironic that something as simple as a misconfigured database or weak password can potentially result in massive data exposure.
The more protections that are put in place, the better. Enhanced security measures create extra steps and might be an inconvenience, but at the end of the day, it is far better to do the extra work than to have a data breach or be the victim of ransomware.
- Logging records can also capture sensitive data that should not be publicly exposed in the process. I always recommend that companies know exactly what is being logged, who has access, and know when to delete data that is not in use.
- Another helpful tip would be to encrypt even the most basic logging functions as a safeguard to make sure nothing slips through the cracks in the event there is a data leak or unauthorized intrusion.
- This seems like common sense, but I would recommend that organizations stop using usernames and passwords that are easy to guess or based on the employee’s name and enforce a strict policy of complex passwords. Never reuse passwords or store credentials or security keys in plain text within the network.
I see these basic cyber hygiene steps ignored on a daily basis.
It is unclear how long the data was exposed or who else may have gained access before I sent my notifications and details of my discovery. We do not know the exact number of individuals who may have been impacted either.
I saw a large number of names, emails, and other records while manually reviewing the data. We never download or extract the information we find, and with 277 million records, this would take a long time and further put the data at risk.
Public access was restricted the same day I sent my responsible disclosure notice. No one from Inswitch or Freedom Credit Union replied to my notice or follow-up email at the time of publication.
It is unclear if partners, users, or authorities have been notified of the exposure. We are not implying any wrongdoing by either organization and only highlighting our discovery for cybersecurity awareness and educational purposes.
Protecting data before it can be stolen or exploited is a never-ending battle, and we hope our insight and coverage of real-world data incidents can help organizations to better protect the information and data they collect.