Data Security

Cashback website leaks personal information and bank details of 3 million customers

IT security audit researchers at security firm Safety Detectives have revealed a massive data leak (up to 2 terabytes) hosted on an Elastic Server. The flaw affects around 3.5 million users of websites Pouringpounds.com and Cashkaro.com in India and the United Kingdom, whose data is already on sale on dark web. Both websites are operated by the Pouring Ponds Company.

Experts found that these websites, which offer
cash back services and coupons, have exposed sensitive user details, including:

  • Full
    names
  • Phone
    numbers
  • Email
    address
  • Username
  • Unencrypted
    password
  • Bank
    details linked to the account

This server was exposed to any user, as it did
not even have a password. Looking for specific ports, any user could find it
and extract the stored information, mentioned IT security audit specialists.
The server remained exposed for at least a couple of months.

Specialists analyzed the information exposed at each website separately. In PouringPounds.com, which has more than one million users, the data leak consists primarily of plain text usernames and passwords, so any threat actor could take control of any account and assets there Guarded. “Anyone who knows where and how to search could easily take control of one of these accounts to find the associated credits and transfer them via PayPal or any similar service,” the experts added.

CashKaro, meanwhile, which has more than 2.5
million active users, also exposes passwords in plain text, as well as
financial details such as bank accounts and links to those accounts, vital
information for the online payment process. “Two full terabytes of
personal identification and financial data, belonging to millions of people, is
a really serious matter,” IT security audit experts added.

The exposure of information was notified to the
company responsible for this server in early September. After a few days, the
company’s security team responded, mentioning that the database was already
offline.

It should be mentioned that there are many
users of Internet services who use the same password on two or more websites.
When hackers get their hands on victims’ usernames and passwords, they can
extend the scope of the attack to other kinds of websites, such as email
services or social media platforms. 

Whether as a result of a cyberattack or human
error, these kinds of implementations are at constant risk. According to IT
security audit specialists from the International Institute of Cyber Security (IICS)
there are several ways to mitigate the impact of such incidents. Users should
always verify that they’re browsing though a secure website, protected with
HTTPS. In addition, users should avoid clicking on attachments in emails, as
this is one of the most common forms of infection. Defining unique passwords
for each online service you use, in addition to setting additional controls
(such as multi-factor authentication) are also recommended measures. 

To Top

Pin It on Pinterest

Share This