- FatakPay, an Indian lending company, was found to be storing sensitive data in an unprotected S3 bucket
- The data included people’s names, addresses, IDs, and more.
- The company has since locked the database.
Instant loan company FatakPay kept confidential data of millions of its users exposed on the Internet, for a period of time unknown to anyone who knew where to look.
In mid-September 2024, security researchers from cyber news discovered a misconfigured Amazon AWS S3 bucket containing more than 27 million files filled with sensitive information.
Data found in the repository includes people’s full names, postal addresses, email addresses, telephone numbers, copies of national ID cards, loan agreements, account statements, completed loan applications, user selfies for verification , PAN (a PIN number issued by the Income Tax Department of India), Aadhar (a PIN number issued by the Unique Identification Authority of India) and credit score reports.
Closing the file
After a few attempts, the researchers managed to contact FatakPay, which later closed the hub, but has yet to release an official statement about the discovery.
FatakPay is a microlending and digital payments platform in India that provides instant credit solutions to users for small transactions. At the time of this publication, its Google Play Store page shows over 1 million downloads, but the exact number of active users is not publicly available.
Misconfigured databases remain one of the key causes of data leaks. Some researchers warned that many organizations do not fully understand the shared responsibility model of most cloud hosting providers and believe that it is the service provider’s job to keep data secure.
As a result, researchers often stumble upon large databases full of information that criminals could use for identity theft, phishing, social engineering, wire fraud, and more.
Recently, a Mexican fintech startup was discovered to have a large database full of sensitive customer data open on the Internet. The company, called Kapital, had data on 1.6 million Mexicans, including voter IDs and selfies.
