Online Trading Platform Financial Data Found on Misconfigured Server
Note: We are reader supported and may earn a small commission when you click on links in posts
Data belonging to Forex trading customer was found unprotected on a server that anyone could access. More than 20 terabytes of highly sensitive customer data was exposed on a misconfigured server. Exposed data includes names, government IDs, and bank accounts.
The data came from FBS.com and FBS.eu trading sites.
Customer IDs, as well as both sides of customers’ credit cards, were exposed leaving them open to online scams like identity theft and phishing schemes.
SEE ALSO: 6 Signs of a Romance Scammer
The data resided on an Elasticsearch server and was discovered by security researchers at WizCase. The server was not protected and accessible to anyone who discovered it. The information in the database was not encrypted or password protected.
“The data leak was unearthed as part of WizCase’s ongoing research project that randomly scans for unsecured servers and seeks to establish who are the owners of these servers,’ said WizCase in a post about the leaked customer data.
Forex is a major online trading platform for foreign currency, securities, and commodities trading platform.
The unsecured server contained 20 TB of customer data and over sixteen billion records according to the report. It was discovered in October.
Exposed Customer Data Includes:
The exposed data is extensive.
- full names
- email address
- unencrypted passwords
- billing addresses
- phone numbers
- IP address
- passport numbers
- social media accounts
- User ID verification documents including government ID cards, driver’s licenses, bank account statements, utility bills, and credit cards
Customer login history, loyalty data, and password reset links was also exposed.
Scammers Use Stolen Data for Scams
A data leak like this leaves customers open to future online scams and fraud. There is no telling who accessed this treasure trove of customer data before it was discovered by the cyber security researchers.
In February, the US Federal Trade Commission (FTC) released data showing that romance scams account for the costliest type of online fraud. Romance scams have cost consumers over $143 million in losses in the past three years.
Cybercriminals use personally identifiable information (PII) like that found in this Forex trading platform data leak to carry out a variety of online fraud schemes.
Types of Fraud Exposed Customers are Vulnerable to:
- Identity Theft – Government IDs like drivers licenses along with bank account information is enough information for a fraudster to open up more credit cards, automobile loans, or other lines of credit using the stolen identities and PII.
- Email phishing schemes – Fraudsters may already have your name and email address. They use this to launch future email phishing scams trying to trick you into downloading a malicious email attachment or send you to a harmful website. These emails and websites try to scam you out of your money. Always use a reliable antivirus app to help detect and intercept fraudulent emails and websites. For only a few dollars a month, you can protect yourself with an app that detects the latest money stealing schemes.
- Credit Card Theft – The Forex data leak contained information the platform was used to verify the identities of customers. This information can also be used to fraudulently open up consumer credit cards and additional lines of credit.
- Hacking Online Accounts – People frequently re-use the same email and password for multiple online accounts. Customer passwords were exposed in this data leak. That means if fraudsters have one password and email address, they may be able to use it to log into your other online accounts – like your bank – and transfer your money out. The average consumer has about 200 online accounts making it hard to remember a unique password for each one of them.
- Use a reliable password app to help you create and store unique and hard-to-guess passwords for each individual online account.
“WizCase discovered the leak on October 1st, 2020 and reached out to FBS on October 2nd. Subsequently, FBS secured the server on October 5th. Nevertheless, reach out to FBS if they have not contacted you about the breach already, says WizCase.