Report: Data Leaked from 2 Indian Financial Service Sites
Led by established researchers Noam Rotem and Ran Locar, vpnMentor’s research team recently found breaches in the databases of Credit Fair and Chqbook, two Indian personal credit and loan related services.
Credit Fair offers customers access to small personal loans. On Chqbook, customers can compare personal finance products, such as loans and credit cards, based on their personal circumstances and financial status. Both websites require customers to provide considerable personal and financial details that if in the wrong hands, could be used in a number of illegal ways.
Our team discovered vulnerabilities in the websites’ databases that gave access to huge amounts of their customers’ personal and financial details.
The databases were unencrypted and completely unsecured, creating a huge risk for customers of both companies.
Discovery and Owner Reaction
Our team discovered the leaks on July 24th. Fortunately, Chqbook closed its leak within 48 hours. However, as of writing, the Credit Fair leak remains open (July 31st).
We have also contacted both companies to inform them of the data breaches.
Example of Entries in the Database
Both Credit Fair and Chqbook require customers to create accounts and share significant personal and financial information on their websites.
All of this information was hosted on unsecured databases that our team was easily able to access. Examples of the customer details we were able to extract are below.
Credit Fair (44,000 records):
- Full name
- Phone number
- Dates of birth
- Detailed info about the loans (amount, status, rate, creation date, applicant name)
- PAN number - Indian ID card
- IP address
- Session tokens
- AADHAAR - Indian ID number (https://uidai.gov.in/)
- Plain text passwords (not working)
- Links to fraud reports
Chqbook (67 GB data leaked):
- Full name
- Phone number
- Email address
- Credit card number
- Card expiry date
- Type of card
- Transaction amounts
- User ID
- Plain text passwords
- Session tokens
- Ability to send SMS
- Monthly income
- Date of birth
- City name
- Employment profile
If all of this unsecured information was combined, malicious agents and criminals would have a substantial picture of an individual customer’s personal financial records. This information could be used in a number of harmful and illegal ways.
Credit Fair record example
Data Breach Impact
The information within these databases could be used to build a complete profile of a Credit Fair or Chqbook customer. Malicious actors could use this to steal customers' identities. Both databases included full names, emails, physical addresses, personal ID numbers, and much more.
Criminals could easily create accounts on different websites for a number of online activities, legal and otherwise, that would cost the customers considerably. They could also take over customer accounts on both Credit Fair and Chqbook, costing each business a great deal in investigations, account recovery, and revenue.
An account takeover is a form of identity fraud that both customers and companies like Credit Fair and Chqbook would be very vulnerable to, based on this data breach.
If a victim’s account can be accessed, their details could be changed, or transactions could be made in their name. Customers will have to pay for frauds, such as taking out a fraudulent loan.
A criminal hacker could change the bank account on a Credit Fair customer’s account to one they own. The hacker could then take out a loan and transfer it into their bank account. The victim whose Credit Fair account was used would now have to pay that loan back.
Similarly, a Chqbook customer’s account could be used to purchase credit cards in another person’s name. They would then be responsible for any fraudulent purchases made on that card.
This data could be used to create complex, illegal phishing campaigns aimed at defrauding Chqbook and Credit Fair customers. Phishing involves sending fraudulent emails claiming to be from a particular business or government agency, with the aim of extracting financial information from victims.
While open, the Credit Fair and Chqbooks' databases could have provided a huge amount of valuable data to criminals. They could also be used to create incredibly specific and convincing phishing emails to fill in any blanks.
Blackmail and Extortion
A great deal of the information our team was able to access is of a private and sensitive nature.
We could see customers’ credit and employment status, whether or not they were accepted for loans, and their government ID numbers.
Not only could some of this private information be embarrassing, but it can also be used to target customers personally in a number of ways. If a customer is rejected for a loan on one of these sites, criminal loan sharks may use this vulnerability to pressure them into dangerous, illegal loans. Their private financial details could be held ransom, and the customers extorted for money, using threats to expose their financial status publicly.
Many of the people in both databases were government employees. Criminal gangs are particularly ruthless when extorting people who work for governments, as they’re considered especially useful for information and potential exploitation. Governments often take strong measures to protect their employees from predatory gangs, which makes this breach even more troubling.
Advertisers and scam artists can also use customer profiles to create precisely targeted, manipulative, and exploitative ad campaigns on social media to push products or services on vulnerable customers. For instance, knowing somebody is under financial pressure, they could push high-interest loans with misleading or dubious tactics.
Chqbook record example
Physical Dangers of The Leaks
There are also physical threats.
Both databases contained the physical addresses, phone numbers, and names of customers. They also provide insight into customer net worth based on loan amounts, available credit, and financial products they’re purchasing.
This creates a real physical danger, as somebody with access to the databases could use them to target households for robbery according to their wealth status. Using phone numbers and emails, thieves can contact customers directly to work out when they’re not home and choose a suitable time to break into their houses.
Advice from the Experts
The issues and concerns we’ve raised here are by no means conclusive. The breaches in these databases have wide-ranging implications for the customers of Chqbook and Credit Fair, and the businesses themselves.
These vulnerabilities are just two examples of the many dangers for anybody using online financial instruments or websites.
If you’re concerned about how these breaches specifically, or data vulnerabilities in general, might impact your site or business, read our complete guide to online privacy. It shows you the many ways you can be targeted by cybercriminals, and the steps you can take to stay safe.
How and Why We Discovered the Breach
We discovered this breach as the result of a web mapping project. Our hackers use port scanning to examine particular IP blocks and test open holes in systems for weaknesses. They examine each hole for data being leaked.
Our team discovered that both Credit Fair and Chqbooks’ entire databases were unprotected and unencrypted. Credit Fair uses a Mongo Database, while Chqbook uses Elastic Search, neither of which were protected with any password or firewall.
However, we were able to access it via browser and manipulate the URL search criteria into exposing schemata from a single index at any time.
As ethical hackers, we are obliged to reach out to websites when we discover security flaws. This is especially true when a company’s data breach affects so many people – and in the case of Credit Fair and Chqbook, this issue impacted thousands of people every day.
However, these ethics also mean we carry a responsibility to the public. Credit Fair and Chqbook customers must be aware of the risks they take when using sites that make no effort to protect their users.
About Us and Previous Reports
vpnMentor is the world’s largest VPN review website. Our research lab is a pro bono service that strives to help the online community defend itself against cyber threats while educating organizations on protecting their users’ data.
We recently discovered a huge data breach impacting 80 million US households. We also revealed that Gearbest experienced a massive data breach. You may also want to read our VPN Leak Report and Data Privacy Stats Report.
[Publication date: 31.07.2019]