Forex trader data leak exposes millions of confidential records

Data Breach
(Image credit: Shutterstock)

The Forex trading site FBS has leaked the confidential records of its users after the company left an ElasticSearch server exposed online.

The discovery was made by a team of white hat hackers led by Ata Hakcil from the tech news outlet WizCase that has been conducting an ongoing research project in which it scans the web for unsecured servers in order to determine their owners.

Founded in 2009, FBS is an international online forex broker with more than 400k partners and 16m traders that operates in over 190 countries. The company is one of the most popular online trading brokers worldwide and its Android app has been downloaded over 1m times from the Google Play Store.

TechRadar needs yo...

We're looking at how our readers use VPN for a forthcoming in-depth report. We'd love to hear your thoughts in the survey below. It won't take more than 60 seconds of your time.

>> <a href="" data-link-merchant=""" target="_blank">Click here to start the survey in a new window<<

As online trading has become more popular in recent years, users have entrusted terabytes of their confidential data to online forex trading platforms. Even if a user employs a password manager to create strong, complex and unique passwords for their forex accounts, their data can still be exposed online if a forex company fails to properly secure its servers as FBS did in this case.

FBS data leak

WizCase first discovered that FBS had left an ElasticSearch server exposed online in October of last year. The news outlet quickly reached out to the company and FBS secured the server on October 5. However, during the few short days the server was left unsecured, nearly 20TB of data was leaked which contained more than 16bn records. 

The personally identifiable information left exposed on the server included users' first and last names, email addresses, phone numbers, billing addresses, country, time zone, IP addresses, passport numbers, mobile device models, operating systems, social media IDs including GoogleIDs and FacebookIDs as well as all of the files they uploaded for verification such as their personal photos, ID cards, driver licenses, birth certificates, bank account statements, utility bills and unredacted credit cards.

While FBS has secured its server, its customers must remain vigilant as cybercriminals will likely used their exposed data to launch phishing attacks, credit card fraud, blackmail and even identity theft.

To further protect their FBS accounts, WizCase recommends that users reach out to the company for additional assistance, change their passwords, install anti-malware software on their devices, enable two-factor authentication, avoid opening suspicious links or attachments in their email, check their accounts for fraudulent or unusual activity and use a VPN for additional privacy and security online.

Via WizCase

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.