Online trading broker FBS exposes 20TB of data with 16 billion records carderplanetsu, iprofitsu
The team of security researchers at WizCase led by Ata Hakcil discovered a massive trove of data belonging to FBS, a prominent online trading broker with offices in Belize and Cyprus.
FBS is home to 16 million traders and 400,000 partners from over 190 countries.
According to researchers, FBS exposed almost 20 terabytes worth of data comprising over 16 billion records. As a result, millions of FBS customers had their personal and sensitive information accessible online.
It is worth noting that the data was left open to public access on an Elasticsearch server without any security authentication. This means that anyone with knowledge of unsecured databases could have downloaded the data with no password required.
The data, that was thoroughly analyzed by the WizCase team included:
What’s worse is that the company also exposed files sent by users for account verification or identity confirmation. This included the following:
The fact that FBS uploaded unredacted credit cards on a web server and left them exposed for public access could have a devastating impact on unsuspecting users including empty bank account, identity theft, extortion, and blackmailing scams to name a few.
However, the list of exposed data does not end here. In their blog post , Chase Williams of WizCase wrote that FBS also exposed its users’ IDs, their login history, unencrypted passwords encoded in base64, links to reset the password, and other sensitive information.
Unredacted credit cards (Image: WizCase)
WizCase told Hackread.com that the data was exposed on the 1st of October 2020 which remained open to public access till the 5th. On the other hand, FBS secured the data within 30 minutes upon disclosure from the researchers.
It is unclear whether the data was accessed by malicious third parties. Nevertheless, if you have an account with FBS it is advised to get in touch with the company and inquire about the breach.
Furthermore, change your FBS password along with passwords on other services and watch out for phishing emails and SMSishing links on your smartphone.