- A widely used trading broker left an ElasticSearch database accessible online without protection.
- The database contained 16 billion records reaching 20 TB in size, giving away practically everything about the traders.
- The consequences of this exposure are dire, and mitigating the associated risks is neither easy nor simple.
Researchers at WizCase have discovered a massive data leak that belongs to FBS, a Cyprus-based online trading broker used by millions of traders in over 190 countries. The leak includes sensitive personally identifiable information (PII), financial information, government documents, numbers, and even passwords in plaintext form.
The data exposure lasted for at least a few days before FBS responded to WizCase’s report and secured the ElasticSearch server that was left open to access by anyone due to a misconfiguration.
The leaking database contained 20 TB of data and 16 billion records, comprising the following:
- Names and surnames
- Email addresses
- Phone numbers
- Billing addresses
- Country
- Time zone
- IP addresses
- Coordinates
- Passport numbers
- Mobile device models
- Operating system
- Email sent to FBS users
- Social media IDs, including GoogleIDs and FacebookIDs
- Files uploaded by users for verification including personal photos, national ID cards, drivers licenses, birth certificates, bank account statements, utility bills, and unredacted credit cards
- FBS user ID
- FBS account creation date
- Unencrypted passwords encoded in base64
- Password reset links
- Login history
- Loyalty data including loyalty level, level points, prize points, total money deposited, active days, active clients, points earned, and points spent.
The financial details include the full transaction data such as the deposited money, currency, payment system, transaction IDs, account IDs, transaction dates, number of times money was deposited, last deposit amount, last deposit date, total deposit, credit, balance, last month’s balance, interest rate, taxes, equity and margin free. Some of them are quite large, reaching up to half a million USD.
The reasons why FBS held this data are mostly related to regulations, as anti-laundering laws dictate certain “know-your-customer” requirements. However, managing this data with matching caution and responsibility is crucial - otherwise, companies could end up with catastrophic leaks like the present one. The firm should also be subject to investigation from European data protection offices now as the leak constitutes a violation of the GDPR.
The consequences for the exposed individuals are grave, ranging from identity theft and banking fraud to scams, phishing, blackmailing, and even business espionage. The details that have been exposed are just too revealing, and mitigating the risks now is very complicated - if at all possible.
If you were using FBS, you should reset all your passwords, enable 2FA, and monitor your bank account activity closely. Also, use a VPN at all times, set up an internet security solution, and treat all incoming communications with extra caution.