Man
Professional
- Messages
- 3,093
- Reaction score
- 634
- Points
- 113
One mistake shook 2 continents.
Online banking platform Bankingly leaked data from 7 financial institutions, affecting customers across Central and South America.
On May 24, the Cybernews team identified 7 Azure Blob Storage that did not have the necessary authentication. Due to the vulnerability, the personal data of almost 135,000 customers in Latin America was publicly available.
The leak affected residents of the Dominican Republic, Mexico, Ecuador, El Salvador, Bolivia and Costa Rica. At the same time, most of the victims, about 100,000 people, are citizens of the Dominican Republic.
Number of victims, countries and affected financial institutions
Bankingly is a fintech platform that provides web services and mobile applications for financial institutions in Latin America. The company, based in Uruguay, serves predominantly small and medium-sized banks, credit unions, and microfinance institutions, most of which are located in rural areas of Latin America.
Bankingly used vaults to store customer data, including their personal information and banking credentials, which made it possible to provide software solutions to financial institutions.
The following data were at risk:
The leak affected the following institutions:
Disclosed data
The problem is not only in reputational losses for financial institutions. The leak also poses serious risks to the security of customer data. While the published data does not give attackers direct access to financial transactions, it can become the basis for elaborate phishing attacks.
Typically, these transactions require more sensitive information, such as ID card information, social security numbers, or passwords. However, the presence of personal data increases the risk of phishing attacks and social engineering. For example, fraudsters may send emails on behalf of the victim's banking institution or call pretending to be bank employees to trick them into obtaining even more personal information or credentials.
Another potential risk is "credential stuffing" attacks, in which criminals use already leaked accounts to access other platforms if customers reuse the same passwords.
At the moment, the Bankingly vulnerability has been fixed, and access to the databases is closed. However, the company has not yet provided an official comment. Cybernews has also sent inquiries to the affected financial institutions and is awaiting their responses.
Source
Online banking platform Bankingly leaked data from 7 financial institutions, affecting customers across Central and South America.
On May 24, the Cybernews team identified 7 Azure Blob Storage that did not have the necessary authentication. Due to the vulnerability, the personal data of almost 135,000 customers in Latin America was publicly available.
The leak affected residents of the Dominican Republic, Mexico, Ecuador, El Salvador, Bolivia and Costa Rica. At the same time, most of the victims, about 100,000 people, are citizens of the Dominican Republic.
Number of victims, countries and affected financial institutions
Bankingly is a fintech platform that provides web services and mobile applications for financial institutions in Latin America. The company, based in Uruguay, serves predominantly small and medium-sized banks, credit unions, and microfinance institutions, most of which are located in rural areas of Latin America.
Bankingly used vaults to store customer data, including their personal information and banking credentials, which made it possible to provide software solutions to financial institutions.
The following data were at risk:
- Full names;
- Usernames of financial applications;
- Email addresses;
- Phone numbers;
- Work phone numbers.
The leak affected the following institutions:
- «San Martín de Porres» (COSMART);
- «La Nacional de Ahorros y Préstamos» (ALNAP);
- Caja Buenos Aires;
- Caja Mitras;
- Coac Puellaro;
- Credecoop;
- AMC.
Disclosed data
The problem is not only in reputational losses for financial institutions. The leak also poses serious risks to the security of customer data. While the published data does not give attackers direct access to financial transactions, it can become the basis for elaborate phishing attacks.
Typically, these transactions require more sensitive information, such as ID card information, social security numbers, or passwords. However, the presence of personal data increases the risk of phishing attacks and social engineering. For example, fraudsters may send emails on behalf of the victim's banking institution or call pretending to be bank employees to trick them into obtaining even more personal information or credentials.
Another potential risk is "credential stuffing" attacks, in which criminals use already leaked accounts to access other platforms if customers reuse the same passwords.
At the moment, the Bankingly vulnerability has been fixed, and access to the databases is closed. However, the company has not yet provided an official comment. Cybernews has also sent inquiries to the affected financial institutions and is awaiting their responses.
Source
