Willow Pay, a fintech that lets consumers split bills into four weekly payments, had its customers’ names, addresses and copies of their bills exposed by an unsecured database recently discovered by a security researcher.
The researcher, Jeremiah Fowler, said the database included 241,970 records, including bills, mailing lists, account inconsistencies, repayment schedules and other information.
It is unclear whether the database belongs to Willow, a third party contracted by Willow or some other entity. It is also unclear whether any unauthorized parties breached the database before Fowler discovered it. Redacted documents published by Fowler indicated Willow was the original source of the documents, which included repayment receipts sent by Willow and Willow account details.
Willow did not respond to American Banker’s request for comment. Fowler said the fintech also did not respond to him when he notified the company of the exposed database.
The database included a wide range of documents. One redacted screenshot Fowler posted appeared to show a phone bill that included calls and text messages to and from a customer’s phone account. Another document was a spreadsheet containing the details of 56,864 individuals showing whether they were active customers, prospects or blocked accounts.
None of the sampling of records Fowler reviewed and publicly disclosed appeared to include Social Security numbers, drivers’ license numbers or other governmental identification data, which could be used for identity theft.
Despite the apparent lack of identifying information, the public exposure of the database presents both a privacy and security threat to the consumers whose data appears in the records. Threat actors often use non-identifying information in spearphishing attacks, in which they use specific knowledge of a potential victim to intimidate them or impersonate a trusted entity, such as the utility that billed them.
Fowler has documented other examples of unsecured databases maintained by financial services companies. In 2023, he
Locating unsecured, public databases containing personal records is a common method of accessing data without authorization. Companies expose these databases by failing to encrypt or password protect the records — sometimes the result of insecure default settings.
Fowler did not publicly disclose how he found the database of Willow customer data. Security researchers and threat actors have various methods and tools for discovering these databases, such as
For example, a researcher or threat actor might use search terms such as “filetype:pdf” to specify that the Google results should be limited to PDF files. They might also use the “intitle:” operator to specify words that might appear in the title of the webpage, such as “passwords.”
