[BreachExchange] Brazilian Fintech iugu exposes confidential customer data
Destry Winant
destry at riskbasedsecurity.com
Wed Apr 14 10:42:30 EDT 2021
https://www.tecmundo.com.br/seguranca/215272-fintech-brasileira-iugu-expoe-dados-confidenciais-clientes.htm
A security expert and consultant released on his Twitter account on
Thursday (8) a data security breach alert that made it possible to
disclose customer information from the iugu financial operations
automation company. According to the expert, personal and bank details
of customers, as well as details of their transactions, were available
to the public on an unprotected server for about an hour.
The flaw discoverer, Bob Diachenko, is an expert on cyber threat
intelligence and a writer on the SecurityDiscovery blog . On Wednesday
(7), he accessed the open files, with data on “all customers and
account details: e-mails, phones, addresses, invoices, etc.”. The
specialist detected sensitive data from 2013 to 2021 in different
folders.
Indexed by Shodan, known as the hacker search engine, there was about
1.7 TB of information from the company that, alerted by Diachenko,
removed the database in an hour, a time when they could have been
downloaded by a third party from a server with maliciously configured
protections.
Although he did not, of course, download the data, Diachenko revealed
a proof, with the confidential information properly blurred, of a
savings lock with several incorrect password insertions, in an
apparent withdrawal attempt. The document reveals the bank, branch,
customer account and balance.
What does iugu say?
Iugu is a fintech that operates in Brazil as a collection platform,
that is, it intermediates transactions carried out between the
merchant establishment and consumers, being responsible for processing
payments. That is, if the consumer makes purchases at a partner
virtual store, iugu's data appears on the credit card statement .
In a statement to TecMundo , iugu confirmed that "one of its search
databases has been exposed for approximately two hours and may have
affected about 1% of our backup database ". The company claims that
the problem has been resolved and that customer information has not
been exposed.
"We inform that the problem with the vulnerability was resolved
promptly and customer information, such as login, passwords, credit
card, transactional information was not exposed. During an internal
investigation, we also verified that only one IP had access to this
vulnerability. We are investigating whether the incident may have
involved personal data, and we will take all appropriate steps in that
regard. "
More information about the BreachExchange
mailing list