- Duc app exposed 360,000 unencrypted customer files
- Data included IDs, addresses, and transaction details
- Database secured after researcher alerted company
Duc App, a Canadian money transfer service provider, was leaking sensitive customer data to the wide web, allowing anyone with an internet connection and a browser to access it.
Security researcher Anurag Sen from CyPeace recently discovered a publicly accessible Amazon-hosted storage server with sensitive data on hundreds of thousands of people.
This included people’s names, home addresses, but also the dates, times, and details of their transactions. They also contained driver’s licenses, passports, and other documents collected during the Know Your Customer (KYC) registration process.
Article continues below
Locking down the database
Sen said the server listed more than 360,000 files, all in unencrypted format and available to anyone who knew where to look. After making the discovery, Sen reached out to TechCrunch to help contact Duc App’s owners, a company called Duales.
The publication managed to contact the owners, who locked the database down, soon after. TechCrunch said it could not confirm the number of exposed drivers licenses and passports, but said it saw “several folders” with tens of thousands of user-uploaded files, dating back from September 2020, and being uploaded daily.
In an email statement shared with the publication, Duales chief executive officer Martinez González said the data was stored on a “staging site” – meaning the website was used mostly for testing. However, he did not explain why the database was publicly accessible.
“All protections are in place,” Martinez González said. “We are notifying the appropriate parties. We have not contracted any services from you.” We don’t know if any malicious third parties managed to find the database before Sen, but it is always possible. Cybercriminals frequently scan the wider web for exposed databases such as this one.
Generally, cloud misconfigurations are the number one cause of data leaks and spills, resulting mostly from the misconception that cloud security is primarily the service provider’s responsibility.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
