A leading app with digital lending has apparently exposed sensitive customer data after a wrong configured Amazon AWS S3 was bucket back without approval.
Cybergenws researchers discovered loan provider Vivifi left 36 million files of Know Your Customer (KYC) documents open online. The primary risk following a data violation is that criminals will use your information to apply for credit cards, loans or bank accounts in identity theft or fraud arrangements – so a loan company that gets customer information compromised would make it almost too easy for cyber criminals.
Included in the leak was passport, ID cards, driving licenses, tool bills, bank statements and loan agreement letters, among other things – here is what we know so far.
Ongoing examination
Researchers discovered the leak on November 28, 2024, and the bucket was not closed until January 16, 2025, which means criminals had over a month to find and access would decide this.
Know your customer (KYC) documents is used by financial institutions to ensure that they comply with rules and laws in terms of proof of identity, address and income. Unfortunately, however, this is all that a cyber criminal should take a loan in a victim’s name or to create a particularly compelling attack on social engineer.
“For example, attackers could use leaked details of loan agreement or banking information to request urgent payments or account winding,” Cybergenws researchers said.
“In some cases, these personal details can be aggregated and sold on the dark web and further escalates the danger and complicates the efforts of victims to protect their privacy and secure their identity,” the team added.
Data violations are far too common and fintech companies are not immune. Earlier in 2025, the Mexican fintech company MIIO led a similar data violation that exposed millions of files with sensitive data -although significantly fewer than the Vivifi leakage.
Severe risk to customers
Unfortunately, this data violation is the perfect option for an attacker. The KYC documents are exactly what cyber criminals need to facilitate identity theft and fraud. With the identifying documents and personally identifiable information (PII) can attack take a loan, credit card or create new bank accounts in your name.
To remain sure this is the key to remain attentive and monitor your accounts. There are identity theft -protection plans for individuals and for families that essentially make monitoring for you, and often give $ 1 million or more in insurance plans as well as dark web surveillance and anti -malware -software -which can be very difficult to set up on your own on your own hand.
If you want to do the monitoring yourself, you may not have been directly affected by a violation but want to remain protected – then here are the things you need to keep an eye on.
First, your bank statements, accounts and transactions – if you see any suspicious activity, you must warn your bank immediately and freeze or pause your card if you can.
Then create a strong and secure password for each account or at least for those who have financial, health or sensitive information – and if a service you are using is involved in a fracture or cyberattack, be sure to change the password right away.
While it is a pain, it is enabling multi -factor -approval or MFA a large added layer of protection against penetrating, so for these accounts with sensitive information -it is important.
When PII is leaked, there is always an extra danger of social technical attacks such as phishing that will use the data from the violation to determine which services you use regularly, what your interests are or even your friends and family.
From there, attackers send an e -mail that mimics one of the above, and will fool you into clicking on a malicious link, scanning a QR code, or handing over your details to them.
Be looking for any unexpected communication and look closely at the sender of E emails -If you are not sure, do not press any links and search for what the legitimate e -mail address would be -or contact The company directly through their website.
Remember that your bank will not ask you for your account information over the phone or via e -mail – and they will not ask you to transfer your funds to another account.
You also like 
