New York-based FBS, a leading foreign exchange broker for online trading, recently left an Elasticsearch server exposed on the Internet that contained over 16 billion data records, including personally-identifiable information of its customers.
The massive data exposure was discovered by security researchers at Wizcase in October last year. They found that the international online forex broker stored almost 20TB of data on an unsecured ElasticSearch server that was not secured with a password or data encryption.
“Despite containing very sensitive financial data, the server was left open without any password protection or encryption. The WizCase team found that the FBS information was accessible to anyone. The breach is a danger to both FBS and its customers. User information on online trading platforms should be well secured to prevent similar data leaks,” said WizCase web security expert Chase Williams.
The exposed data contained sensitive personal information of users including names, passwords, email addresses, passport numbers, national IDs, credit cards, financial transactions, country, IP addresses, Mobile device models, Social media IDs including GoogleIDs, and FacebookIDs, and many more.
The exposed data also included several files uploaded by users for verification, such as personal photos, national ID cards, drivers’ licenses, birth certificates, bank account statements, utility bills, and credit cards details. Wizcase also uploaded few images on their blogpost that showed French and Swedish credit cards, a Portuguese password, and details of a $500,000 transaction.
The team of researchers identified the data breach on October 1 last year and reached out to FBS next day. As per the report, FBS secured the open server on October 5th. While it is not known if the exposed server was accessed by malicious hackers, William said the data repository can be used by cyber criminals to commit different type of crimes including identity theft and fraud, scams, phishing, credit card fraud, blackmailing, business espionage, account takeover, and many more.
WizCase is now advising online traders to reach out to FBS for additional assistance and change their online trading account passwords immediately. Installation of anti-malware software on the devices, enabling two-factor authentication, avoiding any suspicious links or attachments received in email, checking accounts for fraudulent or unusual activity, and using a VPN for additional privacy and security are a few steps that users can take in order to protect their personal information from unauthorised access.
"In the rush toward online trading though, users have entrusted terabytes of confidential data to online forex trading platforms. With financial transactions being at the core of forex trading, the nature of user data held in these trading databases is highly sensitive. This has made online trading sites a lucrative target for cybercriminals," Wizcase said.
The phenomenon of large organisations exposing vast amount of enterprise and customer data online by failing to secure cloud databases with passwords is very common. In early 2019, security researchers Bob Diachenko unearthed an Elasticsearch database containing more than 24 million banking and financial documents, mostly digitised credit and mortgage reports. The database was stored on a cloud server without any password protection.
The exposed database was found containing 51GB of confidential financial and banking data that could easily be used by any opportunistic cyber criminal to carry out identity fraud, file false tax returns, and avail loans and credit cards in the name of innocent citizens.
In November last year, British cyber security firm Sophos also misconfigured a tool used to store information on customers, thereby leaking the names, email addresses, and phone numbers of a subset of its customers. After the exposure was discovered by a security researcher, Sophos told ZDNet that the misconfiguration affected only a "small subset" of the company's customers and exposed the first and last names, email addresses, and phone numbers of customers.