60GB of User Data Was Exposed by Australian Trading Company ACY Securities
A Representative of the Trading Giant Declared that the Exposed Server Was an “Insignificant One.”
ACY Securities is an Australian financial derivative trading organization that allows customers to trade Forex (FX) and CFD instruments across shares, indices, precious metals, commodities, and cryptocurrencies.
According to Anurag Sen, a well-known cybersecurity researcher, the Australia-based trading company unintentionally revealed a large amount of personal and financial information belonging to unsuspecting users and organizations on the internet for public access.
The event occurred as a result of ACY Securities’ misconfigured database. Worst of all, the data leak held more than 60GB of data that was left in the open with no security authentication.
This means that everyone with a basic understanding of how to discover unprotected databases on search engines such as Shodan can obtain complete access to ACY’s data, which includes logs from February 2020 to the present, while being constantly updated with the most recent data set.
Full name, postal code, address, date of birth, email address, gender information, contact number, hashed password, banking, and financial information are among the data that has been exposed.
The incident impacted users and companies in various countries including:
- United States
- United Kingdom
- United Arab Emirates
The Exposed Server Is an “Insignificant One”
The security researcher contacted ACY Securities several times with evidence of the data leak, but it took the Australian company a few days to acknowledge and fix the issue. He eventually received a response from a representative of the trading firm, who stated that the server that had been exposed is an “insignificant one.”
They officially emailed me stating that ” Thank you for mentioning this, the below server is an insignificant one” – “I am really not happy with the reply. They are considering personal details of registered users including hashed password, email address, physical address, full name, and mobile number – insignificant.
But Is It Really Not Dangerous?
When we think that earlier this year, the group of “hacktivists” called Anonymous and its affiliate group of hackers impacted roughly 90% of Russian cloud databases that were made available to the public without any security authentication or password, we can see that the issue of misconfigured and exposed databases is a serious one.
Given the scope and nature of the data exposed by ACY, the incident could have sweeping consequences. Cybercriminals could download the data and use it to commit identity theft, phishing attacks, scam marketing campaigns, and identity fraud involving microloans.
Misconfigured or unsecured databases, as we know it, have become a major privacy threat to companies and unsuspected users. In 2020, researchers identified over 10,000 unsecured databases that exposed more than ten billion (10,463,315,645) records to public access without any security authentication. In 2021, the number increased to 399,200 exposed databases.