Fintech Bill Pay Platform “Willow Pays” Exposes Over 240,000 Records

Security researcher discovers a non-password-protected database containing over 240,000 records belonging to US-based FinTech bill payment platform Willow Pays. The exposed data includes names, emails, credit limits, and internal billing details.

Cybersecurity researcher Jeremiah Fowler recently discovered and reported a publicly accessible database containing over 240,000 records belonging to Willow Pays, a bill payment software company based in Chicago, IL. This database, lacking any password protection or encryption, contained sensitive information such as user names, email addresses, credit limits, and internal billing details.

For your information, Willow Pays is a service that allows users to finance bills and other expenses over four weeks. Customers upload their bills and personal information, and Willow Pays approves or denies the request before facilitating payments.

According to Fowler’s investigation published by Website Planet, this publicly exposed database contained 241,970 records, including “bills, mailing lists, account inconsistencies, repayment schedules, screenshots, settings, and snapshots,” the report read.

The records included names, email addresses, credit limits, and other internal information and a single spreadsheet document contained around 56,864 individuals’ details, who could be active customers, prospects, or blocked accounts.

The extent of any actual data compromise is yet unknown, however, Fowler believes that the exposed information could be exploited by criminals. This could include phishing attacks leveraging real billing data to deceive users, or using the information to gain unauthorized access to other accounts.

Fowler sent a responsible disclosure notice to Willow Pays, which promptly restricted the database from public access. The owner or management of the database is unknown, and the duration of exposure before discovery or if anyone else gained access is unknown.

This incident highlights the increasing threat of cyberattacks on financial institutions, with Verizon reporting that 95% of data breaches are now financially motivated. Hackread.com recently reported that Czech cybersecurity startup Wultra has raised €3 million to develop post-quantum authentication technology to protect banks and fintech against quantum threats. The investment comes amid this growing global concern over the vulnerability of traditional security methods.

Given the persistent nature of this threat, security experts emphasize the need for financial software providers to implement effective cybersecurity measures, including encrypting sensitive data, regular security audits, and adopting multi-factor authentication. To stay protected from financial fraud online, check out this fraud prevention guide from Hackread.com.

1. Israeli fintech firms hit by Cardinal RAT malware
2. Fuel Industry Software Provider Exposes SSNs, PII Data
3. Hackers Exploit Revolut’s Payment System, Stealing $20M
4. Builder.ai Database Exposes 1.29 TB of Unsecured Records
5. Millions of US Voter Data Exposed in 13 Misconfigured Databases