Misconfiguration leaks over 27M FatakPay files

Cybernews reports that Indian fintech firm FatakPay had more than 27 million files with Know Your Customer documents and other sensitive loan application information compromised by an unsecured Amazon AWS S3 bucket.

Data included in the misconfigured S3 bucket — which was identified in September, disclosed in October, and secured earlier this month — included individuals' full names, home addresses, phone numbers, email addresses, loan agreements and applications, national ID copies, account statements, selfies, PAN and Aadhar identifiers, and credit score reports, according to Cybernews researchers.

Such information exposed by the misconfiguration was noted by researchers to not only be potentially weaponized in identity theft that could jeopardize the credit scores of India-based individuals but also in phishing attacks that involve the spoofing of banks and other legitimate organizations to compromise additional sensitive data. Threat actors could also leverage the leaked home addresses to dox targets for burglary, harassment, or stalking purposes, researchers added.

