Duc Money Transfer App Exposes Thousands of Driver’s Licenses and Passports in Major Security Failure

A significant security failure at a Canadian fintech company has put the personal data of potentially hundreds of thousands of people at risk. The Duc App, a money-transfer service, left a cloud storage server containing sensitive user documents openly accessible to anyone on the internet without a password. This incident highlights a persistent and dangerous trend in digital finance.

How the Duc App Data Breach Happened

Security researcher Anurag Sen discovered the exposed server earlier this week. The server, hosted on Amazon Web Services, was configured to publicly list its contents. Consequently, anyone with a web browser could view and download the files simply by knowing its web address. The data was stored without encryption, removing any final barrier to accessing the full contents of the files.

According to Sen’s analysis, the server contained over 360,000 files. These were not just random documents; they were the core identity verification materials submitted by users. This means the breach involved driver’s licenses, passports, and user-uploaded selfies—the very documents used to prove “who you are” in the digital world.

The Scope of the Exposed Information

Building on this, the exposure was not limited to static images. The server also held spreadsheets with detailed customer records. These files listed names, home addresses, and the specific dates, times, and details of financial transactions. The files dated back to September 2020 and were being updated daily, indicating a live, ongoing leak of personal and financial data.

Company Response and Lingering Questions

When contacted by TechCrunch, Duales CEO Henry Martinez González stated the data was on a “staging site” used for testing. However, he did not explain why real, sensitive customer information was present on a test server or why that server was publicly accessible. His claim that “all protections are in place” stands in stark contrast to the reality of the open server.

After the notification, the company made the files inaccessible. Nevertheless, a critical question remains unanswered: Martinez González would not confirm if the company has logs to determine who accessed the data or how many times it was downloaded. This lack of visibility means affected users may never know if their data was copied by malicious actors.

A Recurring Problem in Digital Verification

This Duc App data breach is not an isolated event. It fits a worrying pattern where companies aggressively collect sensitive identity documents but fail to implement corresponding security measures. Apps and websites increasingly demand passports and driver’s licenses for “Know Your Customer” (KYC) checks, yet the custodianship of this data is often shockingly weak.

For instance, last year, the social app TeaOnHer exposed thousands of similar documents required for user verification. In another case, Discord confirmed a breach affecting about 70,000 government IDs uploaded for age verification. Each incident erodes user trust and demonstrates a systemic failure to prioritize data security from the outset.

Therefore, the core issue extends beyond a single misconfigured server. It points to a flawed approach where data collection is prioritized over data protection. Companies treat sensitive ID documents as just another file type, storing them in standard cloud buckets without the stringent, additional safeguards they inherently require.

Regulatory Scrutiny and User Fallout

In response to this incident, the Office of the Privacy Commissioner of Canada has initiated contact with Duales. The regulator is seeking more information to determine its next steps, which could include an investigation and potential penalties. This regulatory attention is becoming more common as the frequency and severity of such breaches increase.

For users of the Duc App, the implications are severe. Exposure of a driver’s license or passport number creates a high risk of identity theft and fraud. These documents are difficult to change and are master keys to a person’s identity. Combined with exposed home addresses and transaction histories, the potential for targeted phishing attacks or financial fraud is significantly heightened.

As a result, affected individuals must remain vigilant. They should monitor their financial accounts for unusual activity, be wary of sophisticated phishing attempts referencing their Duc App transactions, and consider placing fraud alerts with credit bureaus. For more guidance on protecting yourself after a data breach, read our guide on post-breach security steps.

Preventing the Next Cloud Storage Catastrophe

So, what can be done to stop this cycle? First, companies must adopt a “security by design” philosophy. Sensitive data like government IDs should be encrypted at rest and in transit by default. Access should be governed by strict, role-based permissions, not left open to the public internet. Regular security audits and penetration testing are non-negotiable for any service handling financial or identity data.

Furthermore, the use of production data on staging or test servers should be strictly prohibited. These environments are inherently less secure and are frequent targets for attacks. Instead, anonymized or synthetic data should be used for all testing and development purposes. Learn more about secure development practices in our article on building secure fintech applications.

Ultimately, the Duc App data breach serves as another stark reminder. In the rush to build and launch digital services, fundamental security practices are too often an afterthought. Until companies are held fully accountable for the data they collect—both legally and in the court of public opinion—these preventable exposures will continue to put millions of people at risk.

Venom Stealer: The Malware-as-a-Service Platform Automating Persistent Cyber Theft

A new and sophisticated threat has emerged in the cybercrime ecosystem. Dubbed Venom Stealer, this malware-as-a-service (MaaS) platform is shifting the goalposts for data theft by automating not just the initial breach, but also maintaining persistent, ongoing access to stolen information. This represents a significant escalation from traditional one-time credential harvesters.

Security researchers from BlackFog detailed the platform’s capabilities in a recent advisory. What sets Venom Stealer apart is its operational model and its relentless focus on continuity, ensuring that a single infection can yield a stream of data for as long as the victim remains compromised.

The Subscription-Based Cybercrime Model

Operating like a legitimate software business, Venom Stealer is sold on underground forums using a clear subscription model. Aspiring cybercriminals can pay $250 per month or opt for a lifetime access fee of $1,800. This commercial approach includes Telegram-based licensing and an affiliate program, lowering the barrier to entry for less technically skilled attackers and scaling the threat’s potential reach.

How the Venom Stealer Infection Chain Works

The attack begins with a classic yet effective social engineering trap. Victims are lured to fake webpages mimicking familiar prompts—a Cloudflare CAPTCHA, a system update notification, an SSL certificate error, or a font installation page. Crucially, the victim is then instructed to manually open a Run dialog or Terminal and paste a command themselves. This clever tactic makes the malicious activity appear user-initiated, helping it slip past many behavioral detection systems that flag automated processes.

Once executed, the malware springs into action. It immediately scours Chromium and Firefox-based browsers, extracting saved passwords, session cookies, browsing history, autofill data, and critically, information from cryptocurrency wallets. It also performs detailed system fingerprinting and collects data on installed browser extensions, building a comprehensive profile of the infected machine.

Beyond One-Time Theft: The Continuous Exfiltration Engine

This is where Venom Stealer truly differentiates itself. Unlike older infostealers that run once and exit, this malware remains resident and active. It continuously monitors the Chrome login database, capturing newly saved credentials in real-time the moment a user enters them. Consequently, common defense strategies like credential rotation become far less effective, as the malware simply harvests the new passwords as they are created.

Building on this, the platform’s financial theft capabilities are highly automated. If cryptocurrency wallets are discovered, the data is sent to a powerful server-side cracking engine running on GPU infrastructure. Once the wallet is cracked, funds are automatically liquidated and transferred across multiple blockchain networks, including tokens and decentralized finance (DeFi) positions.

Key Capabilities and Integrated Social Engineering

A particularly dangerous feature is the direct integration of ClickFix social engineering templates into the attacker’s operator panel. This allows threat actors to automate the entire attack chain from the initial lure to the final data theft, streamlining their operations. The platform’s key capabilities include:

• Automated ClickFix delivery templates for both Windows and macOS systems.
• Continuous, real-time credential monitoring post-infection.
• Automated cryptocurrency wallet cracking and fund transfers.
• File system searches for cryptocurrency seed phrases and password files.

Therefore, the platform represents a full-service cybercrime toolkit. For more insights on the social engineering tactics often paired with such malware, consider reading about the Anatomy of a Service Desk Social Engineering Attack.

Mitigation Strategies Against Venom Stealer

So, how can organizations defend against this persistent threat? BlackFog researchers recommend a multi-layered defense strategy. First, technical controls can disrupt the attack chain: restrict PowerShell execution where possible, and disable the Run dialog for standard user accounts on Windows systems.

In addition, human vigilance remains paramount. Security awareness training must evolve to help employees recognize and report ClickFix-style social engineering attempts that urge them to run suspicious commands. Furthermore, robust network monitoring is essential. Since Venom Stealer relies on immediate data exfiltration to attacker-controlled servers, monitoring for unusual outbound traffic patterns can provide a crucial detection opportunity.

This means that a combination of technical hardening, user education, and network surveillance forms the best defense. For broader strategies on securing your digital assets, explore our guide on Protecting Against Advanced Data Exfiltration.

An Actively Maintained Threat

The research indicates that Venom Stealer is not a static tool. Evidence points to an actively maintained, full-time development operation, with multiple updates observed as recently as March 2026. This commitment to development suggests the platform’s operators are intent on refining its capabilities and evading detection for the long term, making it a persistent and evolving danger in the cybersecurity landscape.

Hims & Hers Confirms Third-Party Customer Support System Breach

The digital healthcare landscape faces another security challenge. Hims & Hers, a prominent telehealth provider, has officially confirmed a data breach impacting its external customer service platform. This incident highlights the persistent vulnerabilities within third-party systems that handle sensitive user information.

According to a filing with the California attorney general’s office, unauthorized actors infiltrated the company’s third-party ticketing system over a four-day period in early February. Consequently, they exfiltrated a significant volume of support tickets submitted by customers. While the company states medical records were not accessed, the nature of support communications often contains a wealth of personal and account-specific details.

Scope and Nature of the Hims & Hers Data Breach

Building on this, the precise number of affected individuals remains undisclosed. California law mandates public disclosure for breaches involving 500 or more state residents, indicating the scale is likely substantial. The company’s notice confirms that stolen data included customer names and contact information. However, other categories of personal data were redacted in the public filing, leaving questions about the full extent of the exposure.

A company spokesperson attributed the incident to a social engineering attack. In such schemes, hackers manipulate employees into granting system access, bypassing technical safeguards. This method underscores that human factors remain a critical weak link in cybersecurity defenses, even for established companies.

What Information Was Compromised?

While Hims & Hers emphasizes that the data “primarily” included names and email addresses, the context is crucial. Support tickets for a telehealth service can contain sensitive inquiries related to medications, treatments, and personal health circumstances. Therefore, even without formal medical records, the breached data could paint a detailed and private picture of an individual’s health journey.

The Rising Threat to Customer Support Platforms

This incident is not isolated. In recent months, customer support and ticketing systems have become prime targets for financially motivated cybercriminals. These platforms are treasure troves of personal data, which can be used for identity theft, phishing campaigns, or extortion. For instance, a similar breach at Discord last year led to the exposure of government-issued IDs for tens of thousands of users.

The pattern is clear: attackers are shifting focus to the soft underbelly of corporate operations—the vendors and platforms managing customer interactions. This trend demands a reevaluation of how companies secure their entire digital ecosystem, not just their core applications.

Response and Ongoing Implications

As a result of the breach, affected customers should be on high alert for phishing attempts. Fraudsters often use stolen names and email addresses to craft convincing, targeted messages. Hims & Hers has not disclosed whether the hackers made any ransom demands, a common tactic following such intrusions.

For consumers, this event serves as a stark reminder. When sharing information with any service, it’s vital to consider where that data flows and who else might have access. The security of a company is only as strong as its weakest vendor. For more insights on protecting your digital health information, explore our guide on healthcare data privacy.

Ultimately, the Hims & Hers data breach exposes a critical vulnerability in modern business infrastructure. It reinforces the need for robust vendor risk management and continuous employee security training. As the telehealth sector grows, so too must its commitment to safeguarding the trust placed in it by patients. Companies must implement stringent access controls and multi-factor authentication, especially for systems handling sensitive data. Learn more about effective security protocols in our article on preventing social engineering attacks.