This widely-used instant loan app leaks nearly 30 million files of user data
Mumbai-based company was storing sensitive data in an unprotected S3 bucket
- FatakPay, an Indian loan company, was found storing sensitive data in an unprotected S3 bucket
- The data included people's names, addresses, IDs, and more
- The company has since locked the database down
Instant loan company FatakPay kept sensitive data on millions of its users exposed on the internet, for an unknown period of time to anyone who knew where to look.
In mid-September 2024, security researchers from Cybernews discovered a misconfigured Amazon AWS S3 bucket containing more than 27 million files filled with sensitive information.
The data found in the bucket includes people’s full names, postal addresses, email addresses, phone numbers, copies of national IDs, loan agreements, account statements, filled-in loan applications, user selfies for verification, PAN (a PIN number issued by the Indian Income Tax Department), Aadhar (a PIN number issued by the Unique Identification Authority of India), and credit score reports.
Closing the archive
After a few attempts, the researchers managed to get in touch with FatakPay, which then closed the bucket, but has not yet released an official statement regarding the discovery.
FatakPay is a digital payment and micro-lending platform in India that provides instant credit solutions to users for small-ticket transactions. At press time, its Google Play Store page shows 1M+ downloads, but the exact number of active users is not publicly available.
Misconfigured databases remain one of the key causes of data leaks. Some researchers warned that many organizations don’t fully understand the shared responsibility model of most cloud hosting providers, and that they believe it is the service provider’s job to keep the data secure.
As a result, researchers often stumble upon large databases full of information that crooks could use for identity theft, phishing, social engineering, wire fraud, and more.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Recently, a Mexican fintech startup was found holding a large database full of sensitive customer data wide open on the internet. The company, called Kapital, held data on 1.6 million Mexicans, including voter IDs and selfies.
You might also like
- Top Mexican fintech firm leaks details on 1.6 million customers
- Here's a list of the best antivirus tools on offer
- These are the best endpoint protection tools right now
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.