Microfinance Bank’s Fintech App Leaks Customer Accounts Online

On March 3rd I discovered a non-password protected database that contained 271k records. It was clear from the start that these were banking and financial transactions. Upon further investigation I was able to identify that many of the records referenced a fintech app called “Monéé”. I sent a responsible disclosure notice shortly after my discovery and another a week later. The database remained publicly accessible for at least 10 days before it was finally closed.

Citygate Global, a Nigerian Microfinance bank launched the banking application Monéé in 2020 and according to their press release it is a multi-purpose mobile loan application designed to also cater for loan, savings, funds transfer services, investment, bill payment and more.

The company said the App is designed as a one-stop loan App and financial technology service digital platform for the growing population of loan users on digital platforms across Nigerian segments.

Here is what we have discovered that included the following:
  • Total Records: 271,732
  • Exposed records are labeled “Production” and contain customer names, account data, passwords, and even credit card data in plain text format.
  • Middleware or build information that could allow for a secondary path for malware. IP addresses, Ports, Pathways, and storage info that cyber criminals could exploit to access deeper into the network that should not be public.
  • This database was set to open and visible in any browser (publicly accessible) and anyone could edit, download, or even delete data without administrative credentials.

Financial Data Exposed

The danger of exposing financial data is that account holders could be targeted for phishing or to gain additional information. Identity theft is another risk where criminals would have enough information to obtain loans or credit in the name of the victims.

It is unclear how long the data was exposed or who else may have had access to these sensitive financial records. It is also unknown if customers or the authorities were informed of the prolonged exposure and potential risks. Unfortunately, no one from Monee or Citygate Global Nigerian Microfinance Bank ever replied to my messages. This is another wake up call for the fintech industry to ensure proper security and data storage methods. Customer data is valuable no matter where a company is located London, New York, or Lagos Nigeria.

Like this story? Please share it!

About the Author

Jeremiah Fowler
Jeremiah Fowler: Director of Security Research, Communications Specialist, Journalist and Cofounder at SecurityDiscovery.com. I care about data protection, privacy, cyber security issues, and responsible disclosure. Contact me: j(at)securitydiscovery.com Twitter: @Yoda69