- The Indian loan company Vivifi would have undergone a data violation
- 36 million files were exposed
- These consisted mainly in personally identifiable information (PII)
A leading digital loan application apparently exposed sensitive customer data after an Amazon AWS S3 erroneous has been left unattained without authentication.
Cybernews researchers discovered that the Vivifi loans supplier left 36 million Caund Your Customer (KYC) documents online. The main risk after a data violation is that criminals will use your information to request credit cards, loans or bank accounts in identity theft or fraud plans – therefore a compromised loan company on information on customers would make almost too easy for cybercriminals.
The leak included passports, identity cards, driving licenses, public service bills, bank statements and letters from the loan agreement, among others – here is what we know so far.
Current survey
The researchers discovered the flight on November 28, 2024, and the bucket was closed until January 16, 2025, which means that criminals had more than a month to find and access data – although it n ‘There is no evidence suggesting that this – only an internal forensic audit would determine this.
Note that your customers’ documents (KYC) are used by financial institutions to ensure that they comply with regulations and laws concerning proof of identity, address and income. Unfortunately, however, it is a cybercriminal that should contract a loan in the name of a victim, or develop particularly convincing social engineering attacks.
“For example, attackers could use the details of the disclosed loan contract or bank information to request urgent payments or account verification,” said Cybernews researchers.
“In some cases, these personal details can be aggregated and sold on the Dark web, degenerating more danger and complicating efforts for the victims to protect their privacy and guarantee their identity,” added the team.
Data violations are too common and fintech companies are not immune. Earlier in 2025, Mexican Fintech MIIO underwent a similar data violation that has exposed millions of sensitive data files – although significantly less than Vivifi’s leak.
Serious risk for customers
This data violation is, unfortunately, the ideal opportunity for an attacker. KYC documents are exactly what cybercriminals need to facilitate identity theft and fraud. With identification documents and personally identifiable information (PII), attackers can contract a loan, a credit card or create new bank accounts in your name.
To stay away from this, the key is to remain vigilant and monitor your accounts. There are identity theft protection plans for individuals and families, which are mainly surveillance for you, and often provide $ 1 million or more in insurance plans, as well as supervisory software Dark and anti -Malware web – which can be very difficult to define up alone.
If you want to surveillance yourself, you may not have been directly touched by a violation but you want to remain protected-then here are things to keep an eye.
First of all, your bank statements, accounts and transactions – if you see a suspicious activity, immediately alerts your bank and freeze or take a break from your card if you can.
Then, create a strong and secure password for each individual account, or at least for those who have financial, health or sensitive information – and if a service you use is involved in a violation or a cyber attack, make sure you to change the password directly.
Although it is pain, activation of multi -factor authentication or MFA is a large additional layer of protection against intruders, so for these accounts with sensitive information – it’s vital.
When Pii is disclosed, there is always an additional danger of social engineering attacks such as phishing, which will use violation data to determine the services you use regularly, what are your interests, or even your friends and your family.
From there, the attackers will send an e-mail usurped the identity of one of the above elements and encourage you to click on a malicious link, to scan a QR code or give them your contact details.
Be looking for unexpected communications and look carefully at the sender of the emails – if you are not sure, then do not rely on links and search what the legitimate e -mail address would be – or contact the directly ‘Company via their website.
Remember that your bank will not ask you for the details of your account by phone or e -mail – and he will not ask you to transfer your funds to another account.
