BreachExchange mailing list archives
Brazilian Fintech iugu exposes confidential customer data
From: Destry Winant <destry () riskbasedsecurity com>
Date: Wed, 14 Apr 2021 09:42:30 -0500
https://www.tecmundo.com.br/seguranca/215272-fintech-brasileira-iugu-expoe-dados-confidenciais-clientes.htm A security expert and consultant released on his Twitter account on Thursday (8) a data security breach alert that made it possible to disclose customer information from the iugu financial operations automation company. According to the expert, personal and bank details of customers, as well as details of their transactions, were available to the public on an unprotected server for about an hour. The flaw discoverer, Bob Diachenko, is an expert on cyber threat intelligence and a writer on the SecurityDiscovery blog . On Wednesday (7), he accessed the open files, with data on “all customers and account details: e-mails, phones, addresses, invoices, etc.”. The specialist detected sensitive data from 2013 to 2021 in different folders. Indexed by Shodan, known as the hacker search engine, there was about 1.7 TB of information from the company that, alerted by Diachenko, removed the database in an hour, a time when they could have been downloaded by a third party from a server with maliciously configured protections. Although he did not, of course, download the data, Diachenko revealed a proof, with the confidential information properly blurred, of a savings lock with several incorrect password insertions, in an apparent withdrawal attempt. The document reveals the bank, branch, customer account and balance. What does iugu say? Iugu is a fintech that operates in Brazil as a collection platform, that is, it intermediates transactions carried out between the merchant establishment and consumers, being responsible for processing payments. That is, if the consumer makes purchases at a partner virtual store, iugu's data appears on the credit card statement . In a statement to TecMundo , iugu confirmed that "one of its search databases has been exposed for approximately two hours and may have affected about 1% of our backup database ". The company claims that the problem has been resolved and that customer information has not been exposed. "We inform that the problem with the vulnerability was resolved promptly and customer information, such as login, passwords, credit card, transactional information was not exposed. During an internal investigation, we also verified that only one IP had access to this vulnerability. We are investigating whether the incident may have involved personal data, and we will take all appropriate steps in that regard. " _______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- Brazilian Fintech iugu exposes confidential customer data Destry Winant (Apr 14)