Popular online bill paying site leaks data of thousands of users

(Image credit: Shutterstock)

Security researcher finds large unsecured online database belonging to Willow Pays
The database contained plenty of sensitive customer information
It is now locked down, but users should still be cautious

Bill payment platform Willow Pays kept a huge database full of sensitive customer information unprotected online available to anyone who knew where to look, an expert has claimed.

Researcher Jeremiah Fowler, known for hunting down misconfigured and non-password-protected databases on the internet, revealed he recently discovered a database containing more than 240,000 records.

“There were folders inside the database indicating bills, mailing lists, account inconsistencies, repayment schedules, screenshots, settings, and snapshots,” he said. “In a limited sampling of the exposed documents, I saw records that included names, email addresses, credit limits, and other internal information. One single spreadsheet document contained the details of 56,864 individuals, indicating if they were prospects, active customers, or blocked accounts.”

Missing details

Soon after, Fowler was able to attribute the database to Willow Pays, a financial service which helps users manage their bills by paying them upfront. The service allows users to repay the amount in four interest-free installments, making it easier to handle expenses. This service also supports building credit by ensuring timely repayments.

Fowler reached out to Willow Pays, which locked down the database soon after. However, the company did not reply to his emails, and did not say if it manages the database in-house, or if the job was outsourced to a third-party. Furthermore, we don’t know for how long the database remained unlocked, or if any malicious actors accessed it before Fowler did.

Misconfigured databases remain one of the most common causes of data leaks and spills on the internet. Many security researchers are warning that companies do not properly understand the shared security model of most cloud service providers these days, and that they mistakenly place too much trust on them, instead of protecting their assets themselves.

Via Website Planet

PowerSchool hit by cyberattack which saw student and teacher data stolen
Here's a list of the best antivirus tools on offer
These are the best endpoint protection tools right now

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.