Creditors’ service provider leaked millions of records with lawsuit history

A company identifying people who might sue creditors forgot to set a password and leaked over 150 million records, including lawsuit history.

At the beginning of June, the Cybernews research team uncovered a misconfiguration in WebRecon systems that left the company’s data accessible to anyone on the Internet.

Founded in 2009, WebRecon is a niche player in the litigation risk management sector. With its flagship service, Litigant Alert, WebRecon assists creditors, debt collectors, debt buyers, and marketers in identifying customers who might file lawsuits under the TCPA, FDCPA, and FCRA laws.

webrecon data leak

These US laws focus on violations related to unsolicited communications, abusive debt collection practices, and inaccurate credit reporting and can be used to sue creditors.

“Hundreds of these lawsuits are brought by repeat filers. Contact any one of them, and your chances of being sued rise dramatically,” writes the company on its website.

While the company claims to protect the creditors, it failed to protect its data. A leak was caused by a MongoDB database when WebRecon developers forgot to set up a password. The leaked database stored nearly 154 GB of data and more than 150 million records.

Leaked personal data included:

  • Names
  • ZIP Codes
  • States
  • Hashed Social Security Numbers (SSN)
  • The last 4 Digits of the SSN
  • Reported Lawsuit History

The leaked data could be exploited by threat actors for identity theft, targeted scams, or other malicious activities. “The leak also raises concerns about WebRecon's data security practices and compliance with privacy regulations, given the sensitivity and scale of the exposed data,” said security researcher Bob Diachenko.

The company has eight employees. Smaller businesses may not receive the same level of scrutiny or resources to strengthen their cybersecurity defenses. Despite its small size, efficient cybersecurity is key, especially if dealing with large amounts of sensitive information.

“It is crucial to implement authentication and authorization mechanisms. Always configure firewall rules to allow only traffic from trusted sources, such as specific IP addresses or ranges, to access the MongoDB instance,” explained Diachenko.

Cybernews contacted the company, and access to the database was secured. However, Cybernews researchers couldn’t identify the exact duration of data exposure, and an official comment from the company has yet to be received.