Forex Broker Leaks Millions of Customer Records Online
Over 20TB of sensitive customer data has been accidentally leaked online by a popular online trading broker, after it misconfigured a cloud database.
Researchers at reviews site WizCase spotted the Elasticsearch server left wide open without any encryption or password protection.
They quickly traced it back to FBS, one of the world’s busiest online brokers for foreign exchange (forex) trading, which boasts as many as 16 million global traders.
According to the report, the database contained over 16 billion records, exposing millions of customers’ personally identifiable information (PII).
These included: full names, email and billing addresses, phone numbers, IP addresses, passport numbers, social media IDs and ID verification scans including national ID cards, driver’s licenses, bank account statements, utility bills and credit cards.
Other details included FBS user IDs, unencrypted passwords, login history, loyalty data and password reset links, according to WizCase.
With this kind of trove of PII, scammers could impersonate victims online to commit identity fraud, and/or use the information to obtain even more sensitive details from victims via follow-on phishing attacks.
With scans of both sides of users’ credit cards, cyber-criminals could also quite easily carry out payment fraud, while the leaked password information may lead to account takeover attacks.
Those whose transactions indicate significant wealth may even be targeted at their home address or blackmailed, warned WizCase.
WizCase discovered the leak on October 1 2020 and reached out to FBS the next day. The firm secured the server on October 5, although it’s unclear how long it had been left open before that. Customers are therefore encouraged to contact the broker to check if they’ve been affected by the breach.
WizCase urged those users to change their passwords and enable two-factor authentication on their online accounts, check for unusual bank account activity and to be on guard for phishing attacks.