TZUTC: -0500
MSGID: 1475.consprcy@1:2320/105 2d1ed086
PID: Synchronet 3.21a-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0
TID: SBBSecho 3.28-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0
BBSID: CAPCITY2
CHRS: ASCII 1
FORMAT: flowed
Largest US credit union leaked potentially sensitive information

Date:
Wed, 03 Sep 2025 16:16:00 +0000

Description:
Navy Federal Credit Union kept an unprotected backup on the open internet,
leaking all sorts of sensitive information.

FULL STORY

Navy Federal Credit Union (NFCU), the largest credit union in the United
States, was leaking sensitive information to the open web by keeping a backup
database unprotected and available on the wider internet. This is according 
to Jeremiah Fowler, a cybersecurity researcher known for hunting unencrypted,
non-password-protected databases. 

In a recent announcement, Fowler said he found an archive containing 378GB of
backup data. The data belongs to the largest credit union serving military
members and their families, and contained storage locations, keys, hashed
passwords, and other internal potentially sensitive information. 

In a limited sampling of the exposed files, I saw internal users names, email
addresses, and what appeared to be hashed passwords and keys, Fowler
explained. The backup files also revealed what appeared to be operational
metadata, system logs, and business logic such as codes, product tiers,
optimization processes, rate structures, and other data that should not have
been publicly accessible.

Firmware update 

NFCU serves military members, veterans, Department of Defense employees, and
their families with banking, loans, and financial services. It was founded in
1933, and according to Website Planet, holds roughly $180.8 billion in assets
under management, and counts 14.5 million members. 

As soon as the researcher reached out to NFCU, the organization locked down
the database, but did not respond to the disclosure notice. Therefore, it
remains unknown who actually operates the backup (it could be NFCU, but it
could also be a third-party), for how long it remained open, and if anyone
accessed it before Fowler. 

Despite member data not being available in plain text, there is significant
potential risk in exposing ancillary information, Fowler stressed.
Hypothetically, attackers could use internal information (such as names,
emails, and user IDs) to target staff or accounts with credential stuffing,
phishing, or other social engineering attempts, with the goal of gaining
further access to sensitive internal systems, files, or member data. 

Therefore, customers are advised to be extra vigilant when receiving email
messages and other communication claiming to come from NFCU. 

 Via Website Planet

======================================================================
Link to news story:
https://www.techradar.com/pro/security/largest-us-credit-union-leaked-potentia
lly-sensitive-information

$$
--- SBBSecho 3.28-Linux
 * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)
SEEN-BY: 105/81 106/201 128/187 129/14 305 153/7715 154/110 218/700
SEEN-BY: 226/30 227/114 229/110 111 206 300 307 317 400 426 428 470
SEEN-BY: 229/664 700 705 266/512 291/111 320/219 322/757 342/200 396/45
SEEN-BY: 460/58 712/848 902/26 2320/0 105 304 3634/12 5075/35
PATH: 2320/105 229/426