Forex broker FBS leaves millions of customer records exposed

Data includes names, passwords, emails, passport numbers, credit cards, financial transactions, and more

Foreign currency symbols on a screen

Security researchers have discovered a data breach at a major foreign exchange (forex) broker.

According to WizCase, online forex trading site FBS left nearly 20 TB of data exposed on an unsecured ElasticSearch server containing over 16 billion records.

The broker had over 16 million traders on its platform spanning 190 countries. According to WizCase web security expert Chase Williams the data contained millions of confidential records, including names, passwords, email addresses, passport numbers, national IDs, credit cards, financial transactions, and more.

There were also files uploaded by users for verification, including personal photos, national ID cards, drivers’ licenses, birth certificates, bank account statements, utility bills, and unredacted credit cards. Among the blog’s redacted pictures were French and Swedish credit cards, a Portuguese password, and details of a $500,000 transaction.

A team of white hat hackers led by Ata Hakcil of WizCase discovered the ElasticSearch server. The team discovered the leak on October 1 and contacted FBS the next day. FBS secured the server on October 5. It’s unknown how long FBS left the server unprotected before that. 

“Despite containing very sensitive financial data, the server was left open without any password protection or encryption. The WizCase team found that the FBS information was accessible to anyone. The breach is a danger to both FBS and its customers. User information on online trading platforms should be well secured to prevent similar data leaks,” said Williams.

Williams added that hackers could use the personally identifiable information (PII) exposed by the leak in fraudulent authentication across other platforms. Threat actors can also use the leaked information to launch scams, phishing, and malware attacks against FBS users. 

“The data could be the basis for establishing trust to encourage clicks, malware downloads, and the availing of more confidential information. Armed with the sensitive authentic data, a cybercriminal will sound more credible when they request for information over the phone or email,” Williams said.

WizCase urged users to change their passwords, use two-factor authentication on the platform, and watch for unusual and fraudulent activity on financial statements. Experts also advise FBS customers not to share any personal confidential information requested over email or the phone by potential scammers.

Featured Resources

Shining light on new 'cool' cloud technologies and their drawbacks

IONOS Cloud Up! Summit, Cloud Technology Session with Russell Barley

Watch now

Build mobile and web apps faster

Three proven tips to accelerate modern app development

Free download

Reduce the carbon footprint of IT operations up to 88%

A carbon reduction opportunity

Free Download

Comparing serverless and server-based technologies

Determining the total cost of ownership

Free download

Recommended

Sophos Intercept X Advanced review: AI-powered protection
endpoint security

Sophos Intercept X Advanced review: AI-powered protection

30 Nov 2021
SMBs urged to update software ahead of Black Friday
e commerce

SMBs urged to update software ahead of Black Friday

25 Nov 2021
US adds dozen Chinese tech companies to trade blacklist
Policy & legislation

US adds dozen Chinese tech companies to trade blacklist

25 Nov 2021
Fifth of UK security pros discriminated against in 2021
Careers & training

Fifth of UK security pros discriminated against in 2021

23 Nov 2021

Most Popular

Business customers can get 30% off the Surface Laptop Go for Black Friday 2021
Laptops

Business customers can get 30% off the Surface Laptop Go for Black Friday 2021

26 Nov 2021
Nike to take customers into the metaverse with 'NIKELAND'
virtualisation

Nike to take customers into the metaverse with 'NIKELAND'

19 Nov 2021
Flaw in Android phones could let attackers eavesdrop on calls
Google Android

Flaw in Android phones could let attackers eavesdrop on calls

26 Nov 2021