[BreachExchange] CASHBACK WEBSITE LEAKS PERSONAL INFORMATION AND BANK DETAILS OF 3 MILLION CUSTOMERS
Destry Winant
destry at riskbasedsecurity.com
Fri Oct 18 09:54:58 EDT 2019
https://www.securitynewspaper.com/2019/10/16/cashback-website-leaks-personal-information-and-bank-details-of-3-million-customers/
IT security audit researchers at security firm Safety Detectives have
revealed a massive data leak (up to 2 terabytes) hosted on an Elastic
Server. The flaw affects around 3.5 million users of websites
Pouringpounds.com and Cashkaro.com in India and the United Kingdom,
whose data is already on sale on dark web. Both websites are operated
by the Pouring Ponds Company.
Experts found that these websites, which offer cash back services and
coupons, have exposed sensitive user details, including:
Full names
Phone numbers
Email address
Username
Unencrypted password
Bank details linked to the account
This server was exposed to any user, as it did not even have a
password. Looking for specific ports, any user could find it and
extract the stored information, mentioned IT security audit
specialists. The server remained exposed for at least a couple of
months.
Specialists analyzed the information exposed at each website
separately. In PouringPounds.com, which has more than one million
users, the data leak consists primarily of plain text usernames and
passwords, so any threat actor could take control of any account and
assets there Guarded. “Anyone who knows where and how to search could
easily take control of one of these accounts to find the associated
credits and transfer them via PayPal or any similar service,” the
experts added.
CashKaro, meanwhile, which has more than 2.5 million active users,
also exposes passwords in plain text, as well as financial details
such as bank accounts and links to those accounts, vital information
for the online payment process. “Two full terabytes of personal
identification and financial data, belonging to millions of people, is
a really serious matter,” IT security audit experts added.
The exposure of information was notified to the company responsible
for this server in early September. After a few days, the company’s
security team responded, mentioning that the database was already
offline.
It should be mentioned that there are many users of Internet services
who use the same password on two or more websites. When hackers get
their hands on victims’ usernames and passwords, they can extend the
scope of the attack to other kinds of websites, such as email services
or social media platforms.
Whether as a result of a cyberattack or human error, these kinds of
implementations are at constant risk. According to IT security audit
specialists from the International Institute of Cyber Security (IICS)
there are several ways to mitigate the impact of such incidents. Users
should always verify that they’re browsing though a secure website,
protected with HTTPS. In addition, users should avoid clicking on
attachments in emails, as this is one of the most common forms of
infection. Defining unique passwords for each online service you use,
in addition to setting additional controls (such as multi-factor
authentication) are also recommended measures.
More information about the BreachExchange
mailing list