- A researcher found 378GB of backup data
- The archive belongs to the Navy Federal Credit Union
- The files were quickly locked down
Navy Federal Credit Union (NFCU), the largest credit union in the United States, was leaking sensitive information to the open web by keeping a backup database unprotected and available on the wider internet. This is according to Jeremiah Fowler, a cybersecurity researcher known for hunting unencrypted, non-password-protected databases.
In a recent announcement, Fowler said he found an archive containing 378GB of backup data. The data belongs to the largest credit union serving military members and their families, and contained storage locations, keys, hashed passwords, and other internal potentially sensitive information.
“In a limited sampling of the exposed files, I saw internal users’ names, email addresses, and what appeared to be hashed passwords and keys,” Fowler explained. “The backup files also revealed what appeared to be operational metadata, system logs, and business logic such as codes, product tiers, optimization processes, rate structures, and other data that should not have been publicly accessible.”
Firmware update
NFCU serves military members, veterans, Department of Defense employees, and their families with banking, loans, and financial services. It was founded in 1933, and according to Website Planet, holds roughly $180.8 billion in assets under management, and counts 14.5 million members.
As soon as the researcher reached out to NFCU, the organization locked down the database, but did not respond to the disclosure notice. Therefore, it remains unknown who actually operates the backup (it could be NFCU, but it could also be a third-party), for how long it remained open, and if anyone accessed it before Fowler.
Despite member data not being available in plain text, there is “significant potential risk” in exposing ancillary information, Fowler stressed. “Hypothetically, attackers could use internal information (such as names, emails, and user IDs) to target staff or accounts with credential stuffing, phishing, or other social engineering attempts, with the goal of gaining further access to sensitive internal systems, files, or member data.”
Therefore, customers are advised to be extra vigilant when receiving email messages and other communication claiming to come from NFCU.
Via Website Planet
You might also like
- Reports claim billions of Gmail accounts could be vulnerable after data breach - but Google says that's not true
- Take a look at our guide to the best authenticator app
- We've rounded up the best password managers
