A data leak at Nigerian FinTech company BestFin Nigeria has exposed 846,000 customers and their emergency contacts. The leak also revealed that money lenders try to squeeze every drop of data from their clients, including private communications.
Would you want your lender to read your SMS messages? In some countries, loan apps will collect almost everything.
On July 2nd, 2024, the Cybernews research team discovered an open MongoDB database belonging to BestFin Nigeria Limited, which operates the iCredit app in the country.
This data chest, over 300GB in size, was left open and contained 846,000 clients' sensitive personal data. The researchers themselves were surprised by the extent of the data collection.
The service collected the following data:
- Personal data, including name, gender, phone number, email address, home address, date of birth, salary range, and marital status
- Emergency contacts
- List of apps installed on user devices
- List of contacts saved on their phone
- Device identifiers, such as IMEI, model, and IP address
- Any SMS messages sent and received by the users, including personal messages unrelated to payments, OTP codes, and temporary passwords for financial and non-financial accounts
- Bank Verification Numbers (BVN) validation logs. This is a biometric identification system implemented by the Central Bank of Nigeria
“While BestFin appears to be an approved lender in Nigeria, its loan recovery and screening practices seem to violate Nigeria’s Data Privacy Regulations, which prohibit accessing user contact lists and private messaging histories. Having such information, attackers could access online accounts or steal victims’ identities and funds,” the Cybernews research team said.
Many digital lending services have lost their licenses for such practices. Unfortunately, this is a common practice in Nigeria. The Nigerian Government is aware of the issue and has promised to further address it with new legislation in 2024.
“The leaked message histories reveal even more unethical practices among other digital lending services in Nigeria. Some of the exposed messages contain blackmail, harassment, threats to publish private financial information, and other ‘name and shame’ tactics,” the researchers said.
“It also gives the ability for lenders to track user interactions with their competitors.”
Even worse, the database contained signs of a compromise by an external threat actor. The researchers found a ransom note asking for a payment of 0.01 bitcoin (around $640) to recover the database.
Loan apps may put you in danger
Despite being a single case, this leak is significant due to the revelations of some practices used by digital lending apps in Nigeria and potentially elsewhere.
“Companies claim they harvest sensitive user data to assess loan eligibility and fight fraud. Yet, in reality, we see examples where this practice opens the door to illegal misuse and financial exploitation by both corporations and cybercriminals,” our researchers warn.
Cybernews researchers previously revealed that even the most trustworthy financial applications collect vast amounts of data.
iCredit app users in Nigeria should be aware that their data was compromised, and cybercriminals have likely accessed it. As a precaution, stay alert for phishing scams, suspicious messages, phone calls, and attempts to access their accounts.
On July 4th, Cybernews disclosed the issue of an exposed MongoDB database. After multiple follow-up attempts, the database was finally secured and no longer publicly accessible as of August 26th.
Cybernews has reached out to BestFin Nigeria for a comment and has yet to receive a response.
Disclosure timeline
- July 2nd, 2024: Leak discovered.
- July 4th, 2024: Initial disclosure email sent, multiple follow-up emails followed.
- August 26th, 2024: Access to the data was closed.
Your email address will not be published. Required fields are markedmarked