- A researcher found 378 GB of backup data
- The archives belong to the Navy Federal Credit Union
- The files were quickly locked
Navy Federal Credit Union (NFCU), the largest credit cooperative in the United States, has disclosed sensitive information on the web open by keeping an unprotected and available internet backup database. It is according to Jeremiah Fowler, a cybersecurity researcher known for hunting for databases unacyptated and not protected by cycle words.
In a recent announcement, Fowler said he found an archive containing 378 GB of backup data. The data belongs to the largest Caisse Populaire des Militaires and their families, and contained storage places, keys, chopped passwords and other potentially sensitive internal information.
“In a limited sampling of the exposed files, I saw the names of the internal users, the email addresses and what seemed to be passwords and chopped keys,” said Fowler. “Backup files have also revealed what seemed to be operational metadata, system newspapers and business logic such as codes, product levels, optimization processes, rate structures and other data that should not have been accessible to the public.”
Firmware update
The NFCU serves soldiers, veterans, employees of the Ministry of Defense and their families with banking services, loans and financial services. It was founded in 1933 and, according to the website, Planet, holds around $ 180.8 billion in assets under management and has 14.5 million members.
As soon as the researcher contacted NFCU, the organization locked the database, but did not respond to the notice of disclosure. Consequently, we do not know who really exploits the backup (it could be NFCU, but it could also be a third party), for how long it has been open, and if someone acted before Fowler.
Although members of the members are not available in gross text, there is a “significant potential risk” in the exposure of auxiliary information, said Fowler. “Hypothetically, attackers can use internal information (such as names, emails and user identifiers) to target staff or accounts with references, phishing or other social engineering attempts, in order to access internal systems, files or sensitive member data.”
Therefore, customers are advisable to be more vigilant when receiving emails and other communications that claim to come from NFCU.
Via Website planet
