- Security researcher finds large unsecured online database belonging to Willow Pays
- The database contained a lot of confidential client information.
- It is now blocked, but users should still be careful.
Bill payment platform Willow Pays kept a huge database full of sensitive customer information unprotected online and available to anyone who knew where to look, an expert has claimed.
Researcher Jeremiah Fowler, known for searching the Internet for misconfigured and passwordless databases, revealed that he recently discovered a database containing more than 240,000 records.
“There were folders within the database indicating invoices, mailing lists, account inconsistencies, payment schedules, screenshots, settings and snapshots,” he said. “In a limited sample of the exposed documents, I saw records that included names, email addresses, credit limits, and other internal information. A single spreadsheet document contained the details of 56,864 people, indicating whether they were prospects, active customers or blocked accounts.”
Missing details
Shortly after, Fowler was able to attribute the database to Willow Pays, a financial service that helps users manage their bills by paying them in advance. The service allows users to repay the amount in four interest-free installments, making it easier to manage expenses. This service also supports credit building by ensuring timely payments.
Fowler approached Willow Pays, which locked the database shortly after. However, the company did not respond to his emails and did not say whether it manages the database in-house or if the work was outsourced to a third party. Additionally, we don’t know how long the database remained unlocked or if any malicious actors accessed it before Fowler.
Poorly configured databases remain one of the most common causes of data leaks and spills on the Internet. Many security researchers warn that companies do not adequately understand the shared security model of most cloud service providers these days and are mistakenly relying too much on them, rather than protecting their assets themselves.
Through Planet website
