Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Mexican tax refund MoneyBack site exposed 400GB of sensitive customer data

Experts from security firm Kromtech discovered the Mexican VAT refund site MoneyBack exposed 400GB of sensitive information. Another huge data leak made the headlines, experts from security firm Kromtech discovered the Mexican VAT refund site MoneyBack exposed sensitive customer information online. because of a misconfigured database. Kromtech discovered the unsecured CouchDB during a routine security audit. The Mexican VAT refund […]

Mexican tax refund MoneyBack site exposed 400GB of sensitive customer data

Experts from security firm Kromtech discovered the Mexican VAT refund site MoneyBack exposed 400GB of sensitive information.

Another huge data leak made the headlines, experts from security firm Kromtech discovered the Mexican VAT refund site MoneyBack exposed sensitive customer information online. because of a misconfigured database.

Kromtech discovered the unsecured CouchDB during a routine security audit.

The Mexican VAT refund site MoneyBack is used by tourists that applied for a tax refund on the money they have spent in the country while shopping there.

The data leak was the result of a misconfigured Apache CouchDB database containing roughly 500,000 customers’ passport details, credit card numbers, travel tickets.

“The Kromtech Security Research Center has discovered a misconfigured database with nearly half a million customer files that were left publically accessible.” reads the analysis published by Kromtech. 

“The database appears to be connected with MoneyBack, a leading provider of tax refund (value-added tax refund or sales tax refund) services for international travelers in Mexico.

Moneyback is part of Prorsus Capital SAPI de CV, a Mexican Investment Fund. The most dangerous aspect of this discovery is the massive amount of data totaling more than 400GB.”

The experts discovered more than 400GB of sensitive data left open accessible online, the huge trove of information includes 455,038 scanned documents (Passports, IDs, Credit Cards, Travel Tickets & More) and 88,623 unique passport numbers registered or scanned.

MoneyBack mexico

The experts identified passports from all over the world, mostly belonging to citizens from the US, Canada, Argentina, Colombia, and Italy that used the services between 2016 and 2017.

Which are the risks related to the exposure of such kind of data?

“Cyber criminals could have all of the information they would need to commit identity fraud or use the hundreds of thousands of credit card numbers that were in the database.” states Alex Kernishniuk, VP of strategic alliances, Kromtech. 

 

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – MoneyBack, DataLeak)

[adrotate banner=”5″]

[adrotate banner=”13″]