Security researchers have discovered a double breach whereby two money-saving websites have leaked 2 terabytes of unencrypted passwords and more.
The sensitive data exposed by the British website PouringPound.com and its Indian sister site, CashKaro.com, included full names, mobile phone numbers, email addresses, bank details, plain-text passwords, usernames and more.
“A bad actor could easily open an account and find the associated cash-back credit – available and ready to be transferred to any PayPal address easily. All you need to execute such a transaction would be the password which, again we found available in plain text,” the researchers said.
It should be noted that the data seems to relate only to active users, or those who have logged in only in recent months.
The breach was first discovered at the end of August 2019, but wasn’t investigated until September 2. The data had been found on an exposed, non-password protected elastic server.
The researchers wrote: “Two whole terabyte of personally identifying and financial/payment data of up to 3.5 million people is a very serious exposure by any measure.
“Take into consideration that many web users often use the same password across all sites. With unencrypted passwords and their associated emails and additional account details, this can impact individuals in countless ways.”
The research team attempted to contact the owner of the data on numerous occasions including via Twitter, but the concern had not been forwarded to their security team. The database was finally closed on September 21.
As the researchers investigated the database, it continued to grow with each day showing logs for that day plus the prior six days.
A spokesperson from Safety Detectives commented: “Some companies always deny or try to minimize leaks.
“While some companies react well by securing the breach promptly, other companies do not react quick enough and when eventually cornered tend to deny the breach or minimize the impact to preserve reputation.”
The post #Privacy: Cashback sites exposes 2TB of sensitive data appeared first on PrivSec Report.