2 terabytes of data exposed in breach at cash-back website

A major data breach that exposed 2 terabytes of sensitive information has been uncovered at one of the UK’s biggest cash-back websites.

Anurag Sen, the cybersecurity ‘hactivist’ leading the investigation for the Safety Detectives, discovered the violation on PouringPounds.com, a site which provides shoppers with savings and deals through cash-back and voucher promotions. Safety Detectives is a global security community and expert sharing platform.

PouringPound Ltd. are the company that own PouringPounds.com are also in charge of CashKaro.com, an Indian based savings website. Both were affected in the breach.

No password protection

Full names, bank details, email addresses, plain text passwords and IP addresses  had all been exposed in the breach which are thought to have been uploaded to the dark web. It’s believed that the hack was made easier because the elastic server didn’t have any password protection.

As part of the full report from the platform, Safety Detective says, “The elastic server was publicly exposed without any password protection. Searching at a specific port, anyone could find it easily and take advantage of it maliciously”

Reporting the problem

Despite Sen trying to contact PouringPound Ltd. about the violation early last month (4th September), it wasn’t until almost three weeks later (21st September) that the saving website acknowledged the problem and protected the database.

“Some companies always deny or try to minimize leaks”, Safety Detectives continues. “While some companies react well by securing the breach promptly, other companies do not react quick enough and when eventually cornered tend to deny the breach or minimize the impact to preserve reputation.”

The report added that they believe the actual data had been exposed on August 9th, almost a month before Sen uncovered the breach.

Safety Detectives are currently working on an ethical web-mapping project, which is how they discovered the issue. The scheme aims to find and identify vulnerabilities and notify those in charge in the hopes of improving online security.



Related Posts