CP
cyberpings
BreachesHIGH

Duc App Data Exposure - Thousands of Licenses Leaked Online

Featured image for Duc App Data Exposure - Thousands of Licenses Leaked Online
TCTechCrunch Security·Reporting by Zack Whittaker
Summary by CyberPings Editorial·AI-assisted·Reviewed by Rohit Rana
Updated:
🎯

Basically, a money transfer app accidentally made many people's IDs visible online.

Quick Summary

A data breach involving the Duc App has exposed thousands of driver's licenses and passports to the public. This incident raises serious concerns about data security practices. Users are urged to monitor their information closely and take protective measures.

What Happened

A serious data breach occurred when a publicly accessible Amazon-hosted storage server allowed anyone to access sensitive customer data from the Duc App. This money transfer service, operated by the Canadian fintech company Duales, inadvertently exposed potentially hundreds of thousands of personal records without requiring any password for access. The breach was discovered by security researcher Anurag Sen, who found that anyone with the web address could view and download the data.

Who's Affected

The exposed data includes driver’s licenses, passports, and other personal information used for identity verification. According to estimates, over 360,000 files were stored on the server, which included user-uploaded selfies meant to verify their identities. The Duc App has more than 100,000 downloads on the Google Play Store, indicating a significant number of users could be impacted.

What Data Was Exposed

The data exposure included:

  • Government-issued documents such as driver's licenses and passports.
  • User-uploaded selfies for identity verification.
  • Spreadsheets containing customer names, home addresses, and transaction details. This sensitive information, dating back to September 2020, was stored unencrypted, making it easily accessible to anyone who discovered the link.

What You Should Do

If you are a user of the Duc App, it is crucial to take immediate action to protect your identity. Here are steps you can follow:

  • Monitor your accounts for any suspicious activity.
  • Consider placing a fraud alert on your credit report to prevent identity theft.
  • Regularly check your financial statements and report any unauthorized transactions.
  • Stay informed about any updates from Duc App regarding this breach.

Immediate Actions

Duales has stated that they resolved the data exposure after being notified. However, the chief executive did not clarify how many people accessed the data or if they had the means to track access logs. The Canadian privacy regulator is now involved, seeking more information from the company to determine the next steps. This incident underscores the importance of securing sensitive data, especially as more apps require users to upload personal documents for verification.

🔒 Pro insight: This incident highlights ongoing vulnerabilities in fintech apps, emphasizing the need for robust security measures in data handling and storage.

Original article from

TCTechCrunch Security· Zack Whittaker
Read Full Article

Also covered by

SCSC Media

Duc App exposes hundreds of thousands of personal records due to server misconfiguration

Read Article

Share

Related Pings

HIGHBreaches

Syria’s Security Failures Exposed by Government Account Hack

A recent hack exposed Syrian government accounts, revealing significant cybersecurity weaknesses. This incident raises concerns about the state’s digital security practices and its ability to communicate effectively. Experts warn that without urgent reforms, Syria's digital infrastructure remains at risk.

Wired Security·
LOWBreaches

T-Mobile - Clarifies Details on Recent Data Breach Incident

T-Mobile recently clarified a data breach involving an insider incident, impacting just one customer. Personal financial data remained secure, and the company has taken necessary precautions.

SecurityWeek·
HIGHBreaches

CBP Facility Codes Exposed in Quizlet Flashcards Leak

A Quizlet flashcard set has leaked sensitive information about US Customs and Border Protection facilities, raising serious security concerns.

Wired Security·
HIGHBreaches

Iran Handala Group Breaches Israeli Defence Contractor PSK Wind

Iranian hackers have breached PSK Wind Technologies, an Israeli defense contractor. Sensitive military data has been stolen, posing serious risks to national security. Organizations must strengthen their defenses against such cyber threats.

Security Affairs·
HIGHBreaches

Adobe Breach - Threat Actor Claims Leak of 13 Million Records

A hacker claims to have breached Adobe, leaking sensitive data including 13 million support tickets and employee records. This incident highlights serious third-party security risks.

Cyber Security News·
HIGHBreaches

Americans' Passports Stolen - Hacktivist Attack on Dubai Airport

A hacktivist group has reportedly stolen American passports from Dubai Airport. This breach raises serious concerns about identity theft and fraud risks. Travelers should monitor their information closely.

SC Media·