Duc App Data Breach Exposes Personal Records of Hundreds of Thousands
Severity: High (Score: 66.0)
Sources: Techcrunch, Technadu, Scworld
Summary
A data exposure incident involving the Duc App, a money-transfer service owned by Duales, has revealed sensitive personal data of potentially hundreds of thousands of users. A publicly accessible Amazon-hosted storage server was left unprotected, allowing anyone with a web browser to access unencrypted driver’s licenses, passports, and other identity verification documents. Security researcher Anurag Sen discovered the vulnerability and alerted TechCrunch, which subsequently informed Duales. The exposed data included user-uploaded selfies, names, addresses, and transaction details dating back to September 2020. Duales stated the data was on a 'staging site' but did not clarify why it was publicly accessible. After being notified, the company claimed to have resolved the issue, although a list of the server's contents remains visible. The incident raises significant concerns about data security practices within the fintech sector. Key Points: • Duc App exposed sensitive data of potentially 360,000 users due to server misconfiguration. • The data included unencrypted personal documents such as driver’s licenses and passports. • Duales has not provided a clear explanation for the public accessibility of the sensitive data.