Company name and place: Credinet. The size of co/Sistecredito headquartered in Colombia: about 100MB, with a total of 143876 records.
Data storage format: ElasticSearch
Affected countries: The Planetresearch team of Colombian website can reveal a Credinet affected by major data leakage, which is a credit platform owned by Colombian financial company Sistecredito.
Sistecredito provides installment financing options for customers who want to buy goods immediately and pay later in different subsidiaries across the country. Credinet platform is used by retail stores, which want customers to sign up for Sistecredito service, so as to fund the purchase of goods sold in the stores.
Credinet/Sistecredito stores thousands of records in the Elasticsearch database, which are not encrypted or password protected. The server contains sensitive data, which hackers can use to put thousands of people at serious risk of cyber crime.
The leaked customer data Credinet/Sistecredito stores various forms of data on the misconfigured Elasticsearch server without any password protection. As a result, the Credinet platform leaked a total of 100MB of data, which is equivalent to 143876 records.
Risk data affecting Credinet/Sistecredito customers include:
CustomerPII: a log containing name, e-mail address, mobile phone number and financial data. JWT Tokens: About 3,000 leaked records contain "JWT Tokens", which can be used to generate "access tokens" to authenticate as Credinet users, thus allowing hackers to enter customer accounts. Most leaked files containing JWT tokens also contain the customer's email address. Password reset link: belonging to customer account.
The leaked information that directly affects the Credinet platform on the server includes:
Database credentials: including the plaintext password Appsecrets of CredinetSQL database: A log contains various application secrets about data storage on Credinet platform.
Credinet/Sistecredito exposes sensitive customer information, which may be used to seriously harm Credinet/Sistecredito and its customers. Included in the database.
The password reset link lets us know the impact of this violation. These can be used by hackers to access thousands of user accounts.
Hackers can access the list of customer email addresses contained in the database and use these details (as well as the reset link) to reset the passwords of the relevant user accounts. Therefore, hackers can use these links to reset any of more than 3,000 user accounts in the Credinet database.
The penetration rate of PII, reset link and JWT token is the lowest estimate for affected customers, slightly higher than 3000 users, although this number may be much higher.
Below you can see leaked JWT tokens, emails, password reset links and other forms of PII evidence.
However, the data leakage of Credinet/Sistecredito may directly affect the company's own business, leading to greater customer data leakage in the future. This is because two other forms of data were found on the server. One of the logs contains "application secrets", which provides more detailed information about the data storage of this platform.
The research team also found two database passwords, which may give hackers additional access rights and privileges, including full control of the CredinetSQL database. For moral reasons, our team didn't test these passwords.
Below you can see the evidence of leaking "application secrets" and database passwords.
Inadequate security measures in the Credinet database mean that the owner of the platform (Sistecredito) may be censored by the Colombian Administration for Industry and Commerce (SIC), which is responsible for investigating any cases of data abuse or inadequate data protection measures by Colombian enterprises.
If Credinet/Sistecredito is found to have criminal intent to abuse customer data, Credinet/Sistecredito will violate Colombian criminal law, which will make this case face another series of sanctions and punishments. However, according to the current evidence, such an event seems unlikely to happen.
The affected person Sistecredito and its Credinet platform are located in Colombia, and it is believed that the company has not conducted any business outside Colombia. Analysis of Credinet/Sistecredito registration confirms that the company is located in Colombia, while Alexa traffic analysis shows that the company only deals with Colombian citizens.
Who leaked the data Sistecredito used the Credinet platform to conduct business and allowed stores all over Colombia to register their financial services with users.
Sistecredito is headquartered in Envigado, Antioquia, Colombia. Sistecredito is a large enterprise with about 300 employees and annual sales of15.78 million USD.
In the whole process, the content of the open database quoted Credinet/Sistecredito countless times, and even included the link between Sistecredito website and Credinet platform. So it is obvious that the database belongs to Credinet/Sistecredito.
Impact on Credinet/Sistecredito customers Only Credinet/Sistecredito can know whether the database has been accessed by unscrupulous hackers, but the length of time the database has been opened will indeed expose users of the platform to serious cyber crime risks.
Personal information leaked by identity theft and fraud, such as customer's name, e-mail address, mobile phone number and financial data, can be used to assist fraudulent activities of several other platforms. Cybercriminals can use these data to pretend to be victims to commit fraud.
Contact information such as phone numbers and email addresses of frauds, phishing and malware can be used to target users of frauds, phishing and malware.
Hackers can use customers' personal information, including their financial records, to build trust with users, persuade them to hand over funds, hand over extra PII, or click links to download malicious software to customers' computers.
Hackers can impersonate representatives of Credinet or Sistecredito. If hackers contact users by email, they may try to force the victims to click on the link. This is a phishing attack. Once the victim clicks on the link, malicious software may be downloaded to the user's computer, thus helping the hacker to carry out further criminal activities.
The account takeover password reset link and JWT token can be used to take over the customer account.
JWT tokens can be used to verify whether you are a Credinet account holder. Hackers can also use the password reset link to reset the password of any Credinet account.
The list of users and email addresses leaked by the server can be used to lock the victims of these attacks. Once hackers enter an account, they can see additional PII and engage in other fraudulent activities.
Impact on Credinet/Sistecredito Credinet and platform owner Sistecredito seem to have suffered a lot of economic and reputational losses because of this breach of contract.
Infringement of data privacy
SIC, a data protection agency in Colombia, may investigate the data behavior of Credinet/Sistecredito.
According to Colombian law 158 1, data controllers and processors must maintain strict security measures and standards related to customer data. Without the consent of the customer, it is forbidden to modify or disclose the customer's data, whether intentionally or unintentionally.
SIC can impose a fine of up to 2,000 times the minimum legal wage in Colombia for violating the 158 1 law and Colombia's broader data protection legislation.
The Criminal Code of Colombia regards any data violation as a serious crime, if an entity intentionally divulges customer data without authorization for the benefit of an individual or a third party.
Any violation of the law may result in the person responsible being fined 65,438+000 to 65,438+0000 times the minimum legal wage in Colombia and imprisoned for 48 to 96 months. However, there is no evidence that Credinet/Sistecredito intentionally leaked customer data.
In addition to these fees, the affected users are even entitled to compensation from Credinet/Sistecredito. Any legal action seeking compensation may have an impact on the affected party, thus causing further economic losses to the company.
Business loss The reputation loss caused by such incidents is tangible. Customers trust the company's personal data, and when the company leaks these data, the elements of trust are destroyed. Whether the data is intentionally leaked or not, it violates the human rights of the victims. Credinet/Sistecredito put customers at risk and have a bad influence on the brand image.
Negative publicity may lead some consumers to avoid using Credinet and Sistecredito in the future, while existing customers may terminate their relationship with the company if they feel unsafe or worried about data security.
Credinet/Sistecredito, a commercial spy, faces serious risks of commercial espionage, and its open Elasticsearch server contains a large amount of customer data.
Competing companies can offer discounts on the customer list of Credinet database, and even customize their methods according to other forms of PII. As users migrate to competitors, this may lead to the loss of business of Credinet platform and Sistecredito's financial services. Other competitors can even pretend