Largest US credit union leaked potentially sensitive information
Date:
Wed, 03 Sep 2025 16:16:00 +0000
Description:
Navy Federal Credit Union kept an unprotected backup on the open internet, leaking all sorts of sensitive information.
FULL STORY
Navy Federal Credit Union (NFCU), the largest credit union in the United States, was leaking sensitive information to the open web by keeping a backup database unprotected and available on the wider internet. This is according
to Jeremiah Fowler, a cybersecurity researcher known for hunting unencrypted, non-password-protected databases.
In a recent announcement, Fowler said he found an archive containing 378GB of backup data. The data belongs to the largest credit union serving military members and their families, and contained storage locations, keys, hashed passwords, and other internal potentially sensitive information.
In a limited sampling of the exposed files, I saw internal users names, email addresses, and what appeared to be hashed passwords and keys, Fowler
explained. The backup files also revealed what appeared to be operational metadata, system logs, and business logic such as codes, product tiers, optimization processes, rate structures, and other data that should not have been publicly accessible.
Firmware update
NFCU serves military members, veterans, Department of Defense employees, and their families with banking, loans, and financial services. It was founded in 1933, and according to Website Planet, holds roughly $180.8 billion in assets under management, and counts 14.5 million members.
As soon as the researcher reached out to NFCU, the organization locked down
the database, but did not respond to the disclosure notice. Therefore, it remains unknown who actually operates the backup (it could be NFCU, but it could also be a third-party), for how long it remained open, and if anyone accessed it before Fowler.
Despite member data not being available in plain text, there is significant potential risk in exposing ancillary information, Fowler stressed. Hypothetically, attackers could use internal information (such as names, emails, and user IDs) to target staff or accounts with credential stuffing, phishing, or other social engineering attempts, with the goal of gaining further access to sensitive internal systems, files, or member data.
Therefore, customers are advised to be extra vigilant when receiving email messages and other communication claiming to come from NFCU.
Via Website Planet
======================================================================
Link to news story:
https://www.techradar.com/pro/security/largest-us-credit-union-leaked-potentia lly-sensitive-information
$$
--- SBBSecho 3.28-Linux
* Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)