Cybersecurity researcher finds 1 million invoices in public, unencrypted database

A cybersecurity researcher says he discovered a public, unencrypted database earlier this year associated with a business banking fintech that contained more than 1 million names, physical addresses and phone numbers of consumers and business owners who used a certain invoice-creator app.

The database is said to have been secured in January, and where the fault for any vulnerability lies is murky. But the incident highlights the widespread problem of unprotected online databases — which sometimes are linked with seemingly innocuous, free apps — that present risk management challenges for players from digital startups to large banks.

The security researcher, Jeremiah Fowler, announced the disclosure Wednesday and said the database belonged to NorthOne, a Toronto-based fintech offering mobile-first banking to small businesses, because the invoices he found in the database say “powered by NorthOne.”

NorthOne CEO Eytan Bensoussan told American Banker that, despite appearances, the vulnerability actually stems from an app called InvoiceMaker that is not connected to NorthOne. He acknowledged that some of the people who helped build the app now work for NorthOne and that the company marketed itself with the app, but the app has “no product, technology or corporate connection” to his fintech.

“NorthOne is a completely separate entity from InvoiceMaker,” Bensoussan said.

Yet NorthOne launched a free invoice creation tool in 2018, according to multiple news reports. The app, which prominently featured NorthOne’s old logo and branding, used both the names Invoice Maker and Free Invoice. As of June 2022, the app had 4,900 ratings on the Apple app store.

Invoices in the database, which was not password-protected, included names, physical addresses, email addresses, phone numbers and details about the services provided.

Jeremiah Fowler

Despite the invoice app using NorthOne’s old logo, “there is no crossover between databases,” Bensoussan said in an email. In explaining why NorthOne’s old logo appeared in the app, he said NorthOne once “leveraged Invoice Maker for awareness purposes, but as you can see from the outdated logo, that was a long time ago.”

Bensoussan said his team terminated the invoice creation service after Fowler told them about the vulnerability in January, and NorthOne’s invoice creation app is no longer available on the app store. Fowler said the database he found is also now secured, thanks to his disclosure.

In his comments, Bensoussan played down the importance of the vulnerability, saying the invoicing app had “no payment capabilities and did not involve any payment data.” Rather, the app was “a free PDF generator for invoices,” he said, adding it had “as many as 20,000 users at its most popular but was due to be sunsetted later this year because it had run its course.”

Security researcher Brett Callow said he could not comment on the specifics of this invoice data vulnerability but noted that it is often difficult to determine the significance of exposed databases. Often, it is not necessarily clear even to the company that manages the data whether anybody other than the researcher who discovered it accessed the data, he said.

Invoices found in the database also feature NorthOne branding. The fintech’s CEO maintains the company affected a now-defunct invoice creation tool, not NorthOne.

Jeremiam Fowler

“Still, even if it was only a researcher who accessed a database, that means an unauthorized third party had access to information — and that’s a data breach,” Callow said.

Ali Allage, CEO at Bluesteel Cybersecurity, offered a different take, saying a data breach occurs when data is taken without the knowledge or authorization of the system’s owner. That does not appear to be the case here, she said, for which NorthOne should consider itself lucky.

“This organization got extremely lucky that this didn’t snowball into something worse and having to deal with much larger consequences,” Allage said.

Bensoussan said “no breach or leak occurred,” adding “we have confirmed no data was ever compromised or made public.”

As of Friday, no state attorneys general had reported any data breaches from NorthOne, Free Invoice or Invoice Maker, suggesting the responsible party has not reported the breach pursuant to any of the state laws governing data breach disclosures.

According to Fowler, his interaction with Bensoussan — an email in which the CEO let the researcher know the vulnerability had been taken care of — provided no indication that he had misidentified the responsible party. Had he messaged the wrong company saying he found their exposed database, “they would have been very eager to tell me that it does not belong to them,” he said.

Bensoussan said he is “thankful that the issue has been addressed” and said Fowler called his team’s attention to the vulnerability before it escalated into a breach.

“In this case, the system worked as intended with a security researcher helping to address a problem before it became an issue,” Bensoussan said. 

Invoices are a “goldmine for criminals,” according to Fowler, because they can target victims using both the contact information they glean from the documents and the details of private transactions.

“The criminal could reference the real invoice number and transaction details, making it difficult for the victim to doubt the scammer’s legitimacy as a representative of the company or service provider,” Fowler said.

The database was so easy enough to find, Fowler said, that it would have required little expertise for a criminal to get to it — and no password to decrypt the files once found.

Fowler monitors multiple IoT search engines to find the data, including the exposed database of invoices. IoT search engines scour the web for internet-connected devices like webcams and smart home appliances. Shodan is a popular example; others include Censys, GreyNoise and ZoomEye.

According to Fowler, the incident is an example of why companies need to establish good processes for and relationships with security researchers, since the analysts work to protect data and plug security vulnerabilities. In many cases, including this one, they do so free of charge.

“The biggest thing is that companies need to take that extra step and realize that, if you collect data, it’s valuable to somebody other than you,” Fowler said.

Leave a Comment