100 loan apps leaking PII, GPS locations & call logs of all the 4.6 million customers

Data security specialists at security firm Safety Dectectives & CNET have discovered a massive data breach (almost 900 GB of compromised information) originating from a server established in China; the exposed server has already been shut down.

The exposed server is an Elastic implementation and exposes the personal information of millions of Chinese citizens. The experts, led by renowned researcher Anurag Sen, discovered that the information exposed was collected and stored by more than 100 app developers, mainly money loans services in the Asian country.

According to the experts in data protection, among the compromised personal information highlight scanty details such as:

  • Users’ credit history
  • Financial risk management information
  • Personal identity numbers
  • Full names
  • Address
  • Contact details (phone number, email, etc.)

In addition to personal details, experts also found that the server stored information about the devices used by these apps’ clients, such as smartphone manufacturer and model, contact list, location details, IP address, IMEI numbers, mobile network operator, among other data.

Data protection specialists consider this database to be a sample of the invasive tracking activities that companies perform on a daily basis on technology users. Of course, all this information is not only useful for tech and marketing companies interested in selling us a new smartphone or things like that, but they are also a favorite target for hacker groups dedicated to various activities such as identity fraud.

One particularly disturbing thing about this finding is the fact that the operators of these databases are loan-offering apps, as the activity history of these applications is also recorded online, which could negatively influence the financial plans of affected users. In addition, just as in other similar incidents, this huge database may already be available for purchase or sale on dark web forums.

Due to weak security measures in many companies that provide online services, specialists from the International Institute of Cyber Security (IICS) believe that the best option to protect your personal information is still the prevention. By protecting our data in the best possible way, unreliable companies or groups of malicious actors are less likely to have access to sensitive details.