This article is more than 1 year old
Small business loans app blamed as 500,000 financial records leak out of ... you guessed it, an open S3 bucket
Bank info, driver's license copies and more found, report researchers
A now-defunct mobile app for loaning money to small business owners has been pinned down as the source of an exposed archive containing roughly 500,000 personal and business financial records.
The research team at vpnMentor said it traced an exposed database of financial records back to a former Android/iOS app called MCA Wizard, developed jointly by Advantage Capital Funding and Argus Capital Funding back in 2018.
The app, which has been pulled from both the Google and Apple stores, was apparently designed to allow businesses to apply for and manage merchant cash advance (MCA) short-term loans.
According to the vpnMentor crew, the app stored documents like bank statements, photocopies of driver's licenses, credit checks, and even tax and social security information – all in an unsecured AWS S3 storage bucket. Though the app was defunct, that bucket remained online and configured for public access.
"These files didn't just compromise the privacy and security of Advantage and Argus, but also the customers, clients, contractors, employees, and partners," vpnMentor noted in its report.
While the exposure of information on thousands of people and small businesses is bad enough, there at least seems to be nothing to indicate that the database was found by criminals prior to being reported and taken down by AWS on January 9, more than two weeks after being discovered by the white hat researchers.
Interestingly, although the app is no longer available, the researchers noted that new documents were being added to the storage instance right up until its removal, suggesting another application could also be using the bucket.
More worrisome, though, is that the researchers were unable to reach either of the companies credited with developing the app (The Register was also unable to get comment from either Argus or Advantage), and they might in fact not even really be separate entities.
"While the database's URL contained 'MCA Wizard,' most files had no relation to the app. Instead, they originated from both Advantage and Argus. Furthermore, throughout our research, files were still being uploaded to the database, even though MCA Wizard seems to have been closed down," vpnMentor said.
"Information on all three entities is scarce, but they appear to be owned and operated by the same people. However, there is no clear connection between MCA Wizard and the two companies that own it anywhere online."
Business owners and others who used the app and are concerned about their data being misused are advised to keep a close eye on their bank statements and, if they notice unauthorised activity or new accounts, to report this and consider a credit freeze. ®