Millions of Turks using popular finance apps may have had their private data leaked.
The Cybernews research team has discovered an unprotected MongoDB database with over four million sensitive financial data records.
The leaked data traces back to FinansCepte and FinansWebde, two of Turkey’s most widely used financial apps. The apps serve more than a million users for financial tracking, market analysis, and personal investment management.
It’s unclear whether malicious actors have accessed the exposed database or how long it has remained publicly available. Exposed databases like this are a goldmine for attackers, who constantly monitor the internet in search of unsecured databases.
Therefore, it’s highly likely that if our researchers found the database, attackers have too.
Cybernews reached out to the company behind the apps, Pasyonis Medya ve Bilişim Ticaret, but has not received a response by the time of publishing.
What data did finance apps leak?
- Usernames
- Email addresses
- Phone numbers
- Partial payment information
- Hashed passwords
- Financial alert settings
Millions vulnerable to cyberattacks
Exposing financial data is extremely dangerous, leaving users vulnerable to a range of cyberattacks. With financial details in hand, attackers could launch highly sophisticated phishing campaigns, targeting the apps' users and tricking them into handing over even more sensitive data. For example, attackers could impersonate the finance apps' communication, urging users to renew their passwords or secure their accounts. Instead, they steal credentials and drain accounts.
The leak also contained login credentials. While the passwords were hashed, making them more secure, they could still fuel credential stuffing and brute-force attacks, potentially giving hackers access to accounts across multiple platforms.
Access to alert settings could allow attackers to manipulate financial notifications, leaving users blind to real market shifts or feeding them false signals at critical moments.
Financial applications are leaking user data
Leaving databases without passwords is a very common vulnerability attributed to a simple human mistake. Cybernews' in-house research shows the same trend. However, when left unchecked, these “simple mistakes” can spiral into incidents affecting hundreds of thousands of people.
Such misconfigurations have been at the root of several major leaks in recent years affecting financial apps.
In 2024, Cybernews discovered a data leak at Nigerian FinTech company BestFin, which operates the iCredit app. The leak exposed 846,000 customers, their emergency contacts, and even private SMS messages that the app was secretly collecting.
Another data leak affected Uruguay-based digital banking platform Bankingly, which leaked data from seven financial institutions, exposing nearly 100,000 individuals across South and Central America.\
- Leak discovered: March 7th, 2025
- Initial disclosure: March 7th, 2025
- Leak closed: July 25th, 2025
Your email address will not be published. Required fields are markedmarked