Duc App - Hundreds of Thousands of Personal Records Exposed

What Happened

Duc App, a money-transfer service owned by Duales, has suffered a significant data exposure incident. A publicly accessible Amazon-hosted storage server was left without password protection, allowing sensitive personal data of potentially hundreds of thousands of users to be exposed. This incident was reported by TechCrunch after security researcher Anurag Sen discovered the lapse.

Who's Affected

The exposed data includes unencrypted driver's licenses, passports, and other identity verification documents. Additionally, personal information such as names, home addresses, and selfies were also accessible. The data dates back to September 2020 and was uploaded daily, impacting a wide range of users who trusted Duc App with their sensitive information.

What Data Was Exposed

The nature of the exposed data is alarming. Users' driver's licenses and passports are critical identity documents that can lead to identity theft if misused. The presence of selfies and personal addresses further compounds the risk, making it easier for malicious actors to impersonate individuals or engage in fraud.

What You Should Do

If you are a user of Duc App, it is crucial to monitor your financial accounts and personal information for any signs of misuse. Consider changing passwords and enabling two-factor authentication on your accounts. Additionally, be vigilant about any unsolicited communications that may attempt to exploit this data exposure.

Duales has stated that the data was on a "staging site" and claimed to have resolved the exposure after being notified. However, a list of server contents remained visible, raising concerns about the effectiveness of their response and the overall security practices in place. This incident serves as a stark reminder of the importance of securing sensitive data and ensuring that servers are properly configured to prevent unauthorized access.