- FatakPay, an Indian loan company, was found to be storing sensitive data in an unprotected S3 bucket
- The data includes people’s names, addresses, IDs, and more
- The company has since locked the database
Instant loan company FatakPay stored sensitive data of millions of its users on the Internet for an unknown period of time, exposed to anyone who knew where to look.
In mid-September 2024, security researchers from Cyber news discovered a misconfigured Amazon AWS S3 bucket with more than 27 million files filled with sensitive information.
The data in the bucket includes people’s full names, postal addresses, email addresses, telephone numbers, copies of national IDs, loan agreements, account statements, completed loan applications, user selfies for verification, PAN (a PIN issued by the Indian Income Tax Department), Aadhar (a PIN issued by the Unique Identification Authority of India) and credit score reports.
Close the archive
After a few attempts, the researchers managed to contact FatakPay, which subsequently closed the bucket, but has not yet released an official statement about the discovery.
FatakPay is a digital payment and microcredit platform in India that provides users with instant credit solutions for small ticket transactions. At the time of writing, the Google Play Store page shows over 1 million downloads, but the exact number of active users is not publicly available.
Misconfigured databases remain one of the leading causes of data breaches. Some researchers warned that many organizations do not fully understand the shared responsibility model of most cloud hosting providers, and they believe it is the service provider’s job to keep the data safe.
As a result, researchers often come across large databases full of information that scammers can use for identity theft, phishing, social engineering, wire fraud and more.
Recently, a Mexican fintech startup was found to have a large database full of sensitive customer data wide open on the internet. The company, called Kapital, had data on 1.6 million Mexicans, including voter IDs and selfies.