- Duc app exposed 360,000 unencrypted client files
- Data included IDs, addresses and transaction details
- Database secured after researcher alerts company
Duc App, a Canadian money transfer service provider, was leaking sensitive customer data across the vast web, allowing anyone with an internet connection and a browser to access it.
Security researcher Anurag Sen of CyPeace recently discovered a publicly accessible Amazon-hosted storage server containing sensitive data on hundreds of thousands of people.
This included people’s names, home addresses, but also dates, times and details of their transactions. They also contained driver’s licenses, passports and other documents collected during the Know Your Customer (KYC) registration process.
Article continues below
Database locking
Sen said the server listed more than 360,000 files, all in unencrypted format and accessible to anyone who knows where to look. After making the discovery, Sen contacted TechCrunch to help contact the owners of Duc App, a company called Duales.
The publication managed to contact the owners, who locked the database shortly after. TechCrunch said it could not confirm the number of driver’s licenses and passports exposed, but said it had seen “multiple folders” containing tens of thousands of files uploaded by users, dating back to September 2020 and uploaded daily.
In an emailed statement shared with the publication, Duales CEO Martinez González said the data was stored on a “test site,” meaning the website was primarily used for testing purposes. However, he did not explain why the database was publicly accessible.
“All the protections are in place,” Martinez González said. “We are informing the parties concerned. We have not contracted any services from you.” We don’t know if malicious third parties managed to find the database before Sen, but it’s still possible. Cybercriminals frequently scan the wider web for exposed databases like this one.
Typically, cloud misconfigurations are the number one cause of data leaks and spills, mainly resulting from the misconception that cloud security is primarily the responsibility of the service provider.
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.