Wed. Nov 13th, 2019

899 Gb of identity, credit card, banking, device, and real-time GPS location leaked by mobile loan apps

2 min read

When applying for a loan, most loan platforms will require users to provide information such as ID card, mobile phone number, location, address book, bank card information and even credit information. These data are used to assess the credibility of the loan applicant and decide whether to issue the loan, etc. It is obvious that the data is highly private and should not be disclosed. However, the microfinance market is currently chaotic and there are still more lending loans. This is also a criminal act that the police everywhere is cracking down. Whether it is a formal loan or a lump-sum loan, users are required to provide very detailed information. Of course, they say that the data will be strictly protected.

A few days ago, researchers found that there is an open database cluster on the Alibaba Cloud platform. This database cluster stores a total of about 899 Gb of loan data. Companies with these database clusters rent servers provided by Alibaba Cloud to store this data, but they do not have the most basic security measures. This data includes the user’s IP address, a time when the app was used, logs, SMS records, other installed apps, and other key data. The key data is the bank card, credit card, real-time location, loan record, tracking data, a user account password, and call list. The data may involve more than 4.6 million users because the data was submitted from 4.6 million mobile devices, including user submissions.

Although the amount of data is very large and contains millions of levels of user privacy information, researchers cannot find any owner’s information in the database. Therefore, the researchers can only contact the Alibaba Cloud security team to process the database. After two weeks of exposure, the database was taken offline by the Alibaba Cloud security team.

It is worth noting that in the past year, companies have used the MD5 algorithm to encrypt data. This outdated encryption algorithm is easily hacked by hackers. It is unclear which loan company this database is holding, and it is not clear whether the data has been completely downloaded by others.

Via: BleepingComputer