A Sydney-based trading company, ACY Securities, has accidentally exposed their users and businesses’ financial and personal data online for public usage. However, the company did not mind the issue and stated that the exposed dataset was a minor problem.
The current database exposure owned by the ACY Securities is due to a misconfigured database. The worst part of this leakage is that the exposed database contained more than 60 gigabytes of data. Moreover, the exposed data did not have any security authentication, implying that anyone who could find these unsecured databases would have complete access to ACY’s data.
The data consists of logs from February 2022 and updated data every second.
Researchers enumerated that the data from the storage contained information such as full names, postcodes, addresses, birthdates, city names, email addresses, phone numbers, hashed passwords, and trading-related information.
Additionally, the countries greatly affected by this data exposure are the United States, the United Kingdom, Russia, Brazil, China, Spain, India, Indonesia, Malaysia, Romania, Australia, and the United Arab Emirates.
An ACY Securities representative low-balled the situation by calling it an “insignificant one.”
A researcher who addressed the situation and reached out to ACY has been persistent in warning the company since the company took a few days to understand the severity of the issue. The company’s admins took care of the exposed database. The issue is now secured, and the public can no longer access its IP addresses.
Individuals can compare the lethality of the exposed and misconfigured databases to the earlier incident where the Anonymous hacktivist group successfully compromised about 90% of Russian exposed cloud databases. The Russian databases were publicly accessible without any security authentication or password.
In ACY’s issue, the extent and nature of the compromised data could have many alarming implications. The threat actors could have downloaded the data, which will enable them to operate several cybercriminal activities such as phishing scams, scam marketing attacks, microloan identity fraud, and identity theft.
