- A researcher found 378 GB backup data
- The archive belongs to the Navy Federal Credit Union
- The files were quickly locked down
Navy Federal Credit Union (NFCU), the largest credit union in the US, leaked sensitive information to the open web by keeping a backup database unprotected and available on the wider internet. This is, according to Jeremiah Fowler, a cybersecurity scientist known to chase non-encrypted, non-password-protected databases.
In a recent message, Fowler said he found an archive containing 378 GB backup data. The data is one of the largest credit union serving military members and their families, and containing storage sites, keys, hashed passwords and other internal potentially sensitive information.
“In a limited sampling of the exposed files, I saw internal users’ names, e -mail addresses and what seemed to be hasthy passwords and keys,” Fowler explained. “The backups also revealed what seemed to be operational metadata, system logs and business logic such as codes, product levels, optimization processes, speed structures and other data that should not have been publicly available.”
Firmware update
NFCU serves military members, veterans, Department of Defense employees and their families with banking, loans and financial services. It was founded in 1933, and according to the Planet site, it has approx. $ 180.8 billion in assets under management and counts 14.5 million members.
As soon as the researcher reached out to the NFCU, the Database organization locked down but did not respond to the information message. Therefore, it remains unknown who actually drives backup (it may be NFCU, but it can also be a third party) how long it remained open and if anyone gained access to it before fowler.
Despite the fact that membership data that is not available in ordinary text, there is “significant potential risk” of revealing auxiliary information, Fowler emphasized. “Hypothetically could attacking use internal information (such as names, e emails and user -IDs) to target staff or accounts with credentials, phishing or other social engineering experiments with the aim of gaining further access to sensitive internal systems, files or member data.”
Therefore, customers are advised to be extra vigilant when they receive E -mail messages and other communication that claims to come from NFCU.
Via Site plane
