The server was exposed to the public without any password or security authentication, allowing access to tens of thousands of passport and ID card copies.
In recent news, Jeremiah Fowler of Website Planet discovered an exposed database belonging to the online currency exchange platform, Fiatusdt. The database contained cryptocurrency sales records, including customer names, bank account numbers, purchase and sales records, and other sensitive information.
Online currency exchanges are internet-based platforms that facilitate the transfer of currencies for distribution in a stable, centralized setting between countries or companies. Like their physical counterparts, online currency exchanges make money by charging a nominal fee and/or through the bid-ask spread in a currency.
Amongst the exposed information were Know Your Customer (KYC) compliance records and identification images, which were particularly concerning as they contained sensitive information that proved the identity of customers.
Fowler reported having viewed as many as 20,000 passport and identity card images. The customer ID documents appeared to belong to individuals from all over the world, including the following countries:
- Oman
- China
- India
- Malaysia
- Australia
- Indonesia
- Singapore and others.
According to Website Planet’s blog post, it is still unclear how many users were affected by the data leak since the total number of records could not be seen, and whether or not the exposed records were accessed by anyone before being discovered.
The database also contained screenshots of deposit and withdrawal amounts, which exposed bank transfer records identifying customer names, account numbers, email addresses, phone numbers, and other sensitive information.
Additionally, transaction IDs and wallet addresses for transactions were present in the database.
This database was exposed due to a misconfigured AWS storage name and address, which allowed public access. This resulted in the database being open and accessible to anyone with an internet connection.
The company was notified of the breach through a responsible disclosure notice, and public access to the database was subsequently closed.
