Connect with us

CyberSecurity

Duc Money Transfer App Exposes Thousands of Driver’s Licenses and Passports in Major Security Failure

Published

on

Duc Money Transfer App Exposes Thousands of Driver’s Licenses and Passports in Major Security Failure

A significant security failure at a Canadian fintech company has put the personal data of potentially hundreds of thousands of people at risk. The Duc App, a money-transfer service, left a cloud storage server containing sensitive user documents openly accessible to anyone on the internet without a password. This incident highlights a persistent and dangerous trend in digital finance.

How the Duc App Data Breach Happened

Security researcher Anurag Sen discovered the exposed server earlier this week. The server, hosted on Amazon Web Services, was configured to publicly list its contents. Consequently, anyone with a web browser could view and download the files simply by knowing its web address. The data was stored without encryption, removing any final barrier to accessing the full contents of the files.

According to Sen’s analysis, the server contained over 360,000 files. These were not just random documents; they were the core identity verification materials submitted by users. This means the breach involved driver’s licenses, passports, and user-uploaded selfies—the very documents used to prove “who you are” in the digital world.

The Scope of the Exposed Information

Building on this, the exposure was not limited to static images. The server also held spreadsheets with detailed customer records. These files listed names, home addresses, and the specific dates, times, and details of financial transactions. The files dated back to September 2020 and were being updated daily, indicating a live, ongoing leak of personal and financial data.

Company Response and Lingering Questions

When contacted by TechCrunch, Duales CEO Henry Martinez González stated the data was on a “staging site” used for testing. However, he did not explain why real, sensitive customer information was present on a test server or why that server was publicly accessible. His claim that “all protections are in place” stands in stark contrast to the reality of the open server.

After the notification, the company made the files inaccessible. Nevertheless, a critical question remains unanswered: Martinez González would not confirm if the company has logs to determine who accessed the data or how many times it was downloaded. This lack of visibility means affected users may never know if their data was copied by malicious actors.

A Recurring Problem in Digital Verification

This Duc App data breach is not an isolated event. It fits a worrying pattern where companies aggressively collect sensitive identity documents but fail to implement corresponding security measures. Apps and websites increasingly demand passports and driver’s licenses for “Know Your Customer” (KYC) checks, yet the custodianship of this data is often shockingly weak.

For instance, last year, the social app TeaOnHer exposed thousands of similar documents required for user verification. In another case, Discord confirmed a breach affecting about 70,000 government IDs uploaded for age verification. Each incident erodes user trust and demonstrates a systemic failure to prioritize data security from the outset.

Therefore, the core issue extends beyond a single misconfigured server. It points to a flawed approach where data collection is prioritized over data protection. Companies treat sensitive ID documents as just another file type, storing them in standard cloud buckets without the stringent, additional safeguards they inherently require.

Regulatory Scrutiny and User Fallout

In response to this incident, the Office of the Privacy Commissioner of Canada has initiated contact with Duales. The regulator is seeking more information to determine its next steps, which could include an investigation and potential penalties. This regulatory attention is becoming more common as the frequency and severity of such breaches increase.

For users of the Duc App, the implications are severe. Exposure of a driver’s license or passport number creates a high risk of identity theft and fraud. These documents are difficult to change and are master keys to a person’s identity. Combined with exposed home addresses and transaction histories, the potential for targeted phishing attacks or financial fraud is significantly heightened.

As a result, affected individuals must remain vigilant. They should monitor their financial accounts for unusual activity, be wary of sophisticated phishing attempts referencing their Duc App transactions, and consider placing fraud alerts with credit bureaus. For more guidance on protecting yourself after a data breach, read our guide on post-breach security steps.

Preventing the Next Cloud Storage Catastrophe

So, what can be done to stop this cycle? First, companies must adopt a “security by design” philosophy. Sensitive data like government IDs should be encrypted at rest and in transit by default. Access should be governed by strict, role-based permissions, not left open to the public internet. Regular security audits and penetration testing are non-negotiable for any service handling financial or identity data.

Furthermore, the use of production data on staging or test servers should be strictly prohibited. These environments are inherently less secure and are frequent targets for attacks. Instead, anonymized or synthetic data should be used for all testing and development purposes. Learn more about secure development practices in our article on building secure fintech applications.

Ultimately, the Duc App data breach serves as another stark reminder. In the rush to build and launch digital services, fundamental security practices are too often an afterthought. Until companies are held fully accountable for the data they collect—both legally and in the court of public opinion—these preventable exposures will continue to put millions of people at risk.

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

CyberSecurity

A Lone Hacker Used AI to Breach AWS in 72 Hours — Here’s What Went Wrong

Published

on

AWS breach 72 hours

The 72-Hour Cloud Breach That Shook AWS Security

A single attacker armed with AI tools and stolen credentials managed to break into a large Amazon Web Services cloud environment in just three days. The incident, reported by cloud security firm Mitiga, reveals a frightening new reality: cloud defenses that once held up against human attackers are crumbling under AI-assisted assaults.

The attacker didn’t just brute-force their way in. They exploited AI workflows, chained together multiple cloud weaknesses, and used stolen credentials to move laterally. Within 72 hours, they had enough access to extort the victim — a major AWS customer whose identity remains undisclosed.

This isn’t a nation-state operation. It wasn’t a sophisticated hacker collective. It was one person, working alone, with AI as their force multiplier.

How the Attacker Exploited AI Workflows

The breach didn’t start with a flashy zero-day. It started with something far more mundane: compromised credentials. The attacker obtained access to an AWS Identity and Access Management (IAM) user account — probably through phishing, credential stuffing, or a third-party data leak.

Once inside, they didn’t just poke around. They used AI tools to analyze the cloud environment, identify weak points, and automate the discovery of misconfigured S3 buckets, exposed APIs, and overly permissive roles. Traditional reconnaissance that might take a team of humans weeks was compressed into hours.

AI-powered scanning let the attacker map the entire cloud infrastructure in record time. They found a chain of vulnerabilities — a public-facing EC2 instance with an outdated SSH key, a Lambda function with excessive permissions, and a CloudTrail logging gap that left blind spots.

The AI Workflow Exploitation Itself

Perhaps most troubling: the attacker targeted the victim’s own AI workflows. Many AWS customers now run machine learning pipelines, using services like Amazon SageMaker and Bedrock. These workflows often involve large datasets, model training scripts, and automated deployment pipelines — all rich targets.

The attacker injected malicious code into a SageMaker notebook instance, which then executed with the permissions of the service role. That gave them access to training data, model artifacts, and even the ability to poison future outputs. They also exploited a misconfigured Bedrock agent that had access to internal databases.

By weaponizing the victim’s own AI infrastructure, the attacker turned a productivity tool into a backdoor.

Stolen Credentials and Lateral Movement

Stolen credentials were the linchpin. The attacker used the initial IAM access to harvest more keys — from EC2 instance metadata, from environment variables in Lambda functions, and from secrets stored in plaintext in a code repository.

Each new credential opened another door. They moved from the compromised IAM account to an S3 bucket with customer data, then to an RDS database containing financial records. The lateral movement was systematic, deliberate, and fast.

Cloud security teams often assume that stolen credentials alone can’t cause catastrophic damage. This breach proves otherwise. When combined with AI-driven reconnaissance, a single set of keys becomes a skeleton key.

The Extortion Stage: How the Attacker Demanded Payment

Once the attacker had access to critical data and systems, they didn’t exfiltrate everything quietly. They made their presence known. They encrypted several S3 buckets using the victim’s own KMS keys — a technique that leaves the victim locked out of their own data.

Then came the extortion demand. The attacker threatened to release the stolen data publicly and permanently destroy the encrypted buckets unless a ransom was paid. The exact amount hasn’t been disclosed, but the victim was left with no easy way out.

This is a new breed of cloud extortion. It’s not just about ransomware on a single server. It’s about holding an entire cloud environment hostage — and using AI to make the attack faster, more precise, and harder to detect.

Cloud Security Lessons: What AWS Customers Must Do Now

The Mitiga report offers several specific recommendations. Here’s what every AWS customer should take away:

  • Audit AI workflows immediately. SageMaker notebooks, Bedrock agents, and Lambda functions that process AI data need strict permission boundaries. Assume they will be targeted.
  • Rotate credentials aggressively. Stolen IAM keys were the entry point. Use short-lived credentials via AWS STS whenever possible. Enable MFA for every user — no exceptions.
  • Close logging gaps. The attacker exploited blind spots in CloudTrail. Enable detailed logging for all API calls, especially for IAM, S3, and Lambda. Use GuardDuty to detect anomalous behavior.
  • Segment the environment. The attacker moved laterally because there were no network boundaries between the compromised IAM account and sensitive databases. Use VPCs, security groups, and service control policies to isolate critical assets.
  • Monitor for AI-specific attacks. Traditional security tools may miss malicious activity in machine learning pipelines. Consider specialized monitoring for model access, training data modifications, and unusual API calls to AI services.

This breach could happen to any AWS customer. The tools the attacker used — stolen credentials, AI automation, cloud misconfigurations — are available to anyone with malicious intent and a few hundred dollars worth of compute time.

The window for detection is shrinking. A human attacker might leave traces over weeks. An AI-assisted attacker can complete the kill chain in a weekend. Cloud security teams need to think faster, automate defenses, and assume that credentials are already compromised.

Because the next lone attacker won’t be alone. They’ll have AI on their side.

Continue Reading

CyberSecurity

CISA Flags Four New Flaws Under Active Attack: Adobe, Joomla, and Langflow Affected

Published

on

actively exploited vulnerabilities

Urgent Patch Deadline: Three Weeks for Federal Agencies

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added four security flaws to its Known Exploited Vulnerabilities (KEV) catalog. The agency confirmed evidence of active exploitation in the wild. Federal civilian agencies now have until April 11, 2026 — just three weeks — to patch or remediate these bugs under Binding Operational Directive (BOD) 22-01.

That timeline isn’t optional. It’s a hard deadline for .gov networks. But the implications stretch far beyond government IT. Any organization running the affected software should treat this as a red alert.

The Four Flaws: A Quick Breakdown

CISA’s latest KEV update covers vulnerabilities in Adobe ColdFusion, Joomla, and Langflow. Here’s what you need to know about each one.

1. CVE-2026-48282 — Adobe ColdFusion (CVSS 10.0)

This is the headliner. A path traversal vulnerability in Adobe ColdFusion that carries a perfect 10.0 CVSS score. Attackers can exploit it to achieve arbitrary code execution on the target server. That’s the worst kind of bug: full system compromise, no authentication required, with a low attack complexity.

Adobe released a security update for this flaw back in March. If you haven’t applied it yet, you’re effectively leaving a backdoor open. ColdFusion has been a favorite target for ransomware groups and state-sponsored actors for years. This isn’t a theoretical risk — CISA’s KEV listing confirms it’s already being used in real attacks.

2. CVE-2025-4439 — Joomla Core Vulnerability

The second actively exploited vulnerability resides in Joomla, the popular open-source content management system. While CISA’s public advisory doesn’t yet detail the exact attack vector, the KEV inclusion signals that threat actors have found a reliable way to weaponize it. Joomla sites running unpatched versions should be considered compromised until proven otherwise.

3. CVE-2025-3248 and CVE-2025-3249 — Langflow Bugs

Langflow, a visual framework for building AI and machine learning applications, has two flaws on the list. Both are under active exploitation. Langflow’s growing popularity in the AI development space makes it an attractive target. Organizations using Langflow for internal AI pipelines should prioritize patching immediately.

Why This Matters for Your Organization

Three weeks sounds like plenty of time. It isn’t. Not when you factor in patch testing, deployment windows, and the sheer chaos of modern IT environments. Attackers know this. They’re counting on it.

The KEV catalog isn’t a suggestion. It’s a list of vulnerabilities that CISA has confirmed are being actively exploited. For federal agencies, it’s a legal obligation. For everyone else, it’s a clear signal: patch now, or accept the risk of a breach.

What makes these four vulnerabilities particularly dangerous is their diversity. They hit a legacy enterprise platform (ColdFusion), a widely used CMS (Joomla), and an emerging AI tool (Langflow). That means attackers have multiple entry points across different parts of your infrastructure.

What You Should Do Right Now

Start with the Adobe ColdFusion fix. A CVSS 10.0 flaw with active exploitation is your highest priority. Verify your version against Adobe’s security bulletin and apply the patch. If you can’t patch immediately, isolate the affected servers from the internet.

Next, check your Joomla installations. The CMS powers millions of websites, many of which are small businesses with minimal security staffing. If you’re running Joomla, confirm you’re on the latest supported version and review your access logs for signs of compromise.

Finally, audit any Langflow deployments. Because Langflow is newer and often used in experimental or development environments, it may have flown under the radar of your standard patch management process. Find it. Patch it.

Don’t forget the basics: enable multi-factor authentication, review user permissions, and ensure your vulnerability management program covers third-party and open-source components. The KEV catalog is a free resource — use it. Subscribe to updates, and cross-reference it against your asset inventory weekly.

The Bigger Picture: Active Exploitation Is the Norm

This KEV update is a reminder that the gap between disclosure and exploitation is shrinking. Attackers don’t wait for patch Tuesday. They scan for vulnerable systems within hours of a CVE being published. The four flaws added today were already being weaponized before CISA made them public.

That’s the new reality. Software vendors release patches; criminals reverse-engineer them to find the underlying vulnerability; and then they hunt for unpatched systems. It’s a cycle that repeats with every major update.

Your defense isn’t just about patching fast. It’s about knowing what you have, tracking what’s vulnerable, and having a process that can respond in days, not months. The organizations that survive these attacks are the ones that treat patching as a core operational discipline, not an afterthought.

Check your Adobe ColdFusion version. Update your Joomla instance. Find your Langflow servers. You have three weeks. Don’t waste them.

Continue Reading

CyberSecurity

Nightmare Eclipse Strikes Again: ‘LegacyHive’ Windows Zero-Day Lands on Patch Tuesday

Published

on

LegacyHive Windows zero-day

Another Patch Tuesday, Another Zero-Day From a Disgruntled Researcher

On July 14, 2026 — the same day Microsoft shipped its latest batch of security fixes — the security researcher known as Nightmare Eclipse (also called Chaotic Eclipse) published yet another unpatched Windows vulnerability. This one is called LegacyHive.

It’s a local privilege escalation bug hiding inside the Windows User Profile Service. Successful exploitation lets an attacker load other users’ registry hives, including those belonging to administrators. That’s a direct path to gaining higher privileges on a compromised machine.

The timing is deliberate. Nightmare Eclipse has made a habit of dropping zero-days on or near Patch Tuesday, maximizing pressure on Microsoft while minimizing the window for defenders to react.

What LegacyHive Does — and What It Doesn’t Do (Anymore)

The proof-of-concept (PoC) exploit code works on systems running the July 2026 patches. According to the researcher, the PoC requires credentials for a standard user account plus a third username — which can be an admin account. If it succeeds, the exploit mounts the target user’s hive into the current user’s classes root.

Here’s where it gets interesting. Nightmare Eclipse released LegacyHive with a stripped PoC — deliberately neutered to reduce the chance of immediate in-the-wild exploitation. That’s a departure from previous drops.

The original version, the researcher claims, didn’t need user credentials at all. It could load any hive, not just the usrclass.dat file. That full-power variant is still possible, the researcher says, but would require extra work to reconstruct.

Why Strip the PoC?

It’s a calculated move. By releasing a limited proof-of-concept, Nightmare Eclipse publicizes the vulnerability’s existence without handing attackers a ready-made weapon. Security teams can test defenses and Microsoft can develop a patch — but the bar for real-world exploitation stays higher than it would be with a full exploit.

Whether that restraint holds is another question. Other researchers or threat actors could reverse-engineer the stripped code and rebuild the missing functionality.

Nightmare Eclipse’s Growing Zero-Day Arsenal

This isn’t a one-off. Nightmare Eclipse has now released more than half a dozen zero-days targeting Microsoft products. The list includes BlueHammer, RedSun, and UnDefend — all of which have been spotted in active attacks. Then there are GreenPlasma, RoguePlanet, YellowKey, and GreatXML.

Each one follows a similar pattern: a focused, single-vulnerability exploit with enough detail to demonstrate the flaw but often short of a full weaponized payload. The cumulative effect is a steady drumbeat of unpatched Windows bugs that keeps defenders scrambling.

For context on related attack techniques, see Windows Bind Link Attacks Can Hide Malware From EDR Tools.

Microsoft Hasn’t Responded Yet

As of publication, Microsoft has not acknowledged the LegacyHive vulnerability. SecurityWeek reached out to the company for comment but hasn’t received a reply. This article will be updated if and when Microsoft responds.

The lack of official acknowledgment is itself telling. Microsoft typically stays silent on zero-days until it has a patch ready or the vulnerability becomes widely exploited. Given Nightmare Eclipse’s track record, it’s reasonable to expect a fix in a future cumulative update — but no timeline has been offered.

What Defenders Should Do Right Now

Until Microsoft ships a patch, organizations running Windows should take these steps:

  • Monitor for unusual User Profile Service activity. LegacyHive targets this service specifically. Logs showing unexpected hive mounts or privilege escalations are red flags.
  • Restrict standard user credentials. The stripped PoC requires another standard user’s credentials to work. Limiting credential exposure reduces the attack surface.
  • Apply the July 2026 Patch Tuesday updates. Even though LegacyHive works on patched systems, the latest updates fix other critical vulnerabilities. Don’t skip them.
  • Watch for follow-on research. Other researchers may analyze the stripped PoC and release a working exploit. Stay informed through trusted security news sources.

For a broader view of recent Microsoft vulnerabilities, see Microsoft Patches Record 622 Vulnerabilities, Including Two Exploited Zero-Days.

A Pattern That Won’t Stop

Nightmare Eclipse shows no signs of slowing down. The researcher’s motives remain murky — part whistleblower, part provocateur — but the output is consistent: a new Windows zero-day every few months, timed for maximum disruption.

LegacyHive is the latest. It probably won’t be the last.

For related coverage on unpatched flaws in other software, see Unpatched Cursor Vulnerability Exposes Users to Code Execution.

Continue Reading

Trending