Unprotected Elasticsearch server exposed PII and financial data of Chinese mobile loan app users

• The open server exposed the personal information, financial data, mobile device information, and billing information of Chinese citizens who used loan apps.
• The database was left open for two weeks and has now been secured by Aliyun Computing Co.

Researchers from SafetyDetectives uncovered an unprotected Elasticsearch server that exposed over 899 GB of data.

Who is the owner of the database?

The company behind the leaky database is currently unknown. However, the database leaked data of more than 100 loan-related apps, suggesting that the owner might most likely be a marketing agency for mobile apps. The provider of the server is Aliyun Computing Co., but they only rented the server to the company and are not responsible for the leak.

The database was left open for two weeks and has now been secured by Aliyun Computing Co.

What information was exposed?

• The open server exposed the personal information of Chinese citizens who used loan apps including their names, phone numbers, and addresses.
• The database included financial data such as loan records, loan details, risk management data, and ID numbers.
• The database also contained mobile device information such as device model and version, device location, operator details, memory data, stored app data, IMSI and IMEI numbers, GPS location, SMS logs, detailed list of contacts, transaction details, detailed tracking of app behavior, launch and exit times, and passwords with MD5 encryption.
• The mobile billing invoices including names, billing addresses, call logs, bill amounts, credit card details were also included in the database.

“There are more than enough details to entirely overtake someone’s identity without any significant effort whatsoever. If this data were to be sold on the Dark Web, it could easily be packaged into a ‘deal’ where an individual’s financial, medical, and personal life are up for grabs. When targeted, even a phone’s sim card can be replicated and nearly full access to all of a person’s phone apps that control smart home devices, contain private photos and details, and more is made available,” researchers wrote in a blog.