Money-saving websites used by over 3.5 million bargain hunters have leaked 2 terabytes of sensitive information onto the dark web.
Data exposed by British website PouringPounds.com and Indian sister site CashKaro.com includes bank details, full names, mobile phone numbers, email addresses, plain-text passwords and usernames, IP addresses, and more. Both sites are owned by PouringPounds Ltd.
The double breach was discovered by a group of Safety Detectives researchers led by hacktivist and cybersecurity expert Anurag Sen. Researchers found the sensitive data in a publicly exposed database hosted on an elastic server without any password protection.
The discovery was made during the commission of an ongoing ethical Safety Detectives web-mapping project that seeks to identify vulnerabilities and data breaches online and notify those responsible in order to improve online safety and security.
Researchers wrote: "The elastic server was publicly exposed without any password protection. Searching at a specific port, anyone could find it easily and take advantage of it maliciously. From what we can see, it was exposed since August 9, 2019."
The database of exposed sensitive information continued to grow as Safety Detectives investigated it, each day showing logs for that day plus the previous six days.
Researchers wrote: "A bad actor could easily open an account and find the associated cash-back credit—available and ready to be transferred to any PayPal address easily. All you need to execute such a transaction would be the password which, again, we found available in plain text."
Sen informed PouringPounds Ltd of the breach on September 4 but received no response. After several more attempts to contact the company, Sen finally heard back on September 21. The database, which had been exposed for six weeks by this point, was secured later that day.
"Some companies always deny or try to minimize leaks," said a spokesperson from Safety Detectives. "While some companies react well by securing the breach promptly, other companies do not react quick enough and when eventually cornered tend to deny the breach or minimize the impact to preserve reputation."