Cashback website leaks personal information and bank details of 3 million customers

IT security audit researchers at security firm Safety Detectives have revealed a massive data leak (up to 2 terabytes) hosted on an Elastic Server. The flaw affects around 3.5 million users of websites Pouringpounds.com and Cashkaro.com in India and the United Kingdom, whose data is already on sale on dark web. Both websites are operated by the Pouring Ponds Company.

Experts found that these websites, which offer cash back services and coupons, have exposed sensitive user details, including:

  • Full names
  • Phone numbers
  • Email address
  • Username
  • Unencrypted password
  • Bank details linked to the account

This server was exposed to any user, as it did not even have a password. Looking for specific ports, any user could find it and extract the stored information, mentioned IT security audit specialists. The server remained exposed for at least a couple of months.

Specialists analyzed the information exposed at each website separately. In PouringPounds.com, which has more than one million users, the data leak consists primarily of plain text usernames and passwords, so any threat actor could take control of any account and assets there Guarded. “Anyone who knows where and how to search could easily take control of one of these accounts to find the associated credits and transfer them via PayPal or any similar service,” the experts added.

CashKaro, meanwhile, which has more than 2.5 million active users, also exposes passwords in plain text, as well as financial details such as bank accounts and links to those accounts, vital information for the online payment process. “Two full terabytes of personal identification and financial data, belonging to millions of people, is a really serious matter,” IT security audit experts added.

The exposure of information was notified to the company responsible for this server in early September. After a few days, the company’s security team responded, mentioning that the database was already offline.

It should be mentioned that there are many users of Internet services who use the same password on two or more websites. When hackers get their hands on victims’ usernames and passwords, they can extend the scope of the attack to other kinds of websites, such as email services or social media platforms. 

Whether as a result of a cyberattack or human error, these kinds of implementations are at constant risk. According to IT security audit specialists from the International Institute of Cyber Security (IICS) there are several ways to mitigate the impact of such incidents. Users should always verify that they’re browsing though a secure website, protected with HTTPS. In addition, users should avoid clicking on attachments in emails, as this is one of the most common forms of infection. Defining unique passwords for each online service you use, in addition to setting additional controls (such as multi-factor authentication) are also recommended measures.