EXCLUSIVE: FINANCE APP LEAKS HUNDREDS OF THOUSANDS OF IDS IN MASSIVE CLOUD FAILURE
A popular money transfer app left a digital vault containing driver's licenses, passports, and intimate financial details completely open to the public internet for years. This isn't a sophisticated hack; it's a cybersecurity catastrophe born of sheer negligence. The Duc App, owned by Canadian fintech Duales, stored over 360,000 user files on an Amazon server with no password and no encryption—a stunning vulnerability that turned a cloud bucket into a free-for-all for data thieves.
Security researcher Anurag Sen discovered the trove, accessible to anyone with a web browser via an easy-to-guess address. The exposed data included user selfies, home addresses, transaction histories, and government IDs used for "know your customer" checks. This data breach represents a phishing and malware attacker's goldmine, providing everything needed for identity theft and targeted fraud. The files, dating to 2020, were being updated daily, exposing users in real-time.
"Leaving KYC documents unencrypted on a public server is an unforgivable failure in basic blockchain security and data stewardship," a veteran cybersecurity analyst told us. "This wasn't a zero-day exploit; it was an open door. Criminals could have easily weaponized this data for ransomware schemes or to drain crypto accounts."
Every user who trusted Duc with their identity is now at severe risk. This incident proves that the weakest link in digital finance is often not a complex malware attack, but human error in configuring fundamental cloud services. Your most sensitive data was just sitting there, waiting to be found.
We predict a wave of targeted fraud attempts against Duc's user base will follow this exposure, as stolen identity documents flood dark web markets. When companies treat your passport like a public file, your security is already compromised.
Your identity is not a public document. Demand better.
