Largest US credit union leaked potentially sensitive information

(Image credit: Shutterstock)

A researcher found 378GB of backup data
The archive belongs to the Navy Federal Credit Union
The files were quickly locked down

Navy Federal Credit Union (NFCU), the largest credit union in the United States, was leaking sensitive information to the open web by keeping a backup database unprotected and available on the wider internet. This is according to Jeremiah Fowler, a cybersecurity researcher known for hunting unencrypted, non-password-protected databases.

In a recent announcement, Fowler said he found an archive containing 378GB of backup data. The data belongs to the largest credit union serving military members and their families, and contained storage locations, keys, hashed passwords, and other internal potentially sensitive information.

“In a limited sampling of the exposed files, I saw internal users’ names, email addresses, and what appeared to be hashed passwords and keys,” Fowler explained. “The backup files also revealed what appeared to be operational metadata, system logs, and business logic such as codes, product tiers, optimization processes, rate structures, and other data that should not have been publicly accessible.”

Firmware update

NFCU serves military members, veterans, Department of Defense employees, and their families with banking, loans, and financial services. It was founded in 1933, and according to Website Planet, holds roughly $180.8 billion in assets under management, and counts 14.5 million members.

As soon as the researcher reached out to NFCU, the organization locked down the database, but did not respond to the disclosure notice. Therefore, it remains unknown who actually operates the backup (it could be NFCU, but it could also be a third-party), for how long it remained open, and if anyone accessed it before Fowler.

Despite member data not being available in plain text, there is “significant potential risk” in exposing ancillary information, Fowler stressed. “Hypothetically, attackers could use internal information (such as names, emails, and user IDs) to target staff or accounts with credential stuffing, phishing, or other social engineering attempts, with the goal of gaining further access to sensitive internal systems, files, or member data.”

Therefore, customers are advised to be extra vigilant when receiving email messages and other communication claiming to come from NFCU.

Via Website Planet

Reports claim billions of Gmail accounts could be vulnerable after data breach - but Google says that's not true
Take a look at our guide to the best authenticator app
We've rounded up the best password managers

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Firmware update

You might also like