Nearly 20TB of data was leaked comprising more than 16 billion records. Millions of FBS users spread across the world were affected.
WizCase, an online security and privacy portal, has announced a major data breach on online trading platform FBS.
Ata Hakcil led the team of white hat hackers who found millions of confidential records (including names, passwords, email addresses, passport numbers, national IDs, credit cards, and financial transactions) from FBS.com and FBS.eu.
According to WizCase, FBS left an unsecured ElasticSearch server containing almost 20TB of data and over 16 billion records. The server was left open without any password protection or encryption despite all the confidential information.
“The WizCase team found that the FBS information was accessible to anyone. The breach is a danger to both FBS and its customers. User information on online trading platforms should be well secured to prevent similar data leaks”, said WizCase web security expert Chase Williams.
“Were such detailed personally identifiable information (PII) to fall in the wrong hands, it could have been used in the execution of a wide range of cyber threats. The data leak was unearthed as part of WizCase’s ongoing research project that randomly scans for unsecured servers and seeks to establish who are the owners of these servers. We notified FBS of the breach so they could take appropriate action to secure the data”.
Nearly 20TB of data was leaked comprising more than 16 billion records. Millions of FBS users spread across the world were affected. Leaked information included personal information such as names and surnames, email addresses, phone numbers, billing addresses, country, time zone, IP addresses, Coordinates, Passport numbers, mobile device models, operating system, email sent to FBS users, social media IDs including GoogleIDs and FacebookIDs.
Files uploaded by users for verification including personal photos, national ID cards, drivers licenses, birth certificates, bank account statements, utility bills, and unredacted credit cards.
WizCase published a few examples of the breached data.
User ID and Credit Card Photo Uploads
User details such as
- FBS user ID
- FBS account creation date
- Unencrypted passwords encoded in base64
- Password reset links
- Login history
- Loyalty data including loyalty level, level points, prize points, total money deposited, active days, active clients, points earned and points spent
A German User’s Account
An Australian User’s Account
Plain Text (base64) Passwords
Financial details such as
- User transaction details including deposited money, currency, payment system, transaction IDs, account IDs, transaction dates, number of times money was deposited, last deposit amount, last deposit date, total deposit, credit, balance, last month’s balance, interest rate, taxes, equity and margin free. Some of the transactions are really large.
A $500,000 Transaction
Each data set would on its own provide valuable information for an attacker but combining all of them makes the threat much more formidable.
FBS has more than 400,000 partners and 16 million traders spanning over 190 countries. The FBS app for the Android OS has been downloaded more than one million times on Google Play Store as of January 2021.
According to the retail broker, which is an official trading partner of soccer giants FC Barcelona, FBS clients rake in half a billion dollars in profit each year.