TZUTC: -0500   
   MSGID: 1475.consprcy@1:2320/105 2d1ed086   
   PID: Synchronet 3.21a-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0   
   TID: SBBSecho 3.28-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0   
   BBSID: CAPCITY2   
   CHRS: ASCII 1   
   FORMAT: flowed   
   Largest US credit union leaked potentially sensitive information   
      
   Date:   
   Wed, 03 Sep 2025 16:16:00 +0000   
      
   Description:   
   Navy Federal Credit Union kept an unprotected backup on the open internet,   
   leaking all sorts of sensitive information.   
      
   FULL STORY   
      
   Navy Federal Credit Union (NFCU), the largest credit union in the United   
   States, was leaking sensitive information to the open web by keeping a backup   
   database unprotected and available on the wider internet. This is according    
   to Jeremiah Fowler, a cybersecurity researcher known for hunting unencrypted,   
   non-password-protected databases.    
      
   In a recent announcement, Fowler said he found an archive containing 378GB of   
   backup data. The data belongs to the largest credit union serving military   
   members and their families, and contained storage locations, keys, hashed   
   passwords, and other internal potentially sensitive information.    
      
   In a limited sampling of the exposed files, I saw internal users names, email   
   addresses, and what appeared to be hashed passwords and keys, Fowler   
   explained. The backup files also revealed what appeared to be operational   
   metadata, system logs, and business logic such as codes, product tiers,   
   optimization processes, rate structures, and other data that should not have   
   been publicly accessible.   
      
   Firmware update    
      
   NFCU serves military members, veterans, Department of Defense employees, and   
   their families with banking, loans, and financial services. It was founded in   
   1933, and according to Website Planet, holds roughly $180.8 billion in assets   
   under management, and counts 14.5 million members.    
      
   As soon as the researcher reached out to NFCU, the organization locked down   
   the database, but did not respond to the disclosure notice. Therefore, it   
   remains unknown who actually operates the backup (it could be NFCU, but it   
   could also be a third-party), for how long it remained open, and if anyone   
   accessed it before Fowler.    
      
   Despite member data not being available in plain text, there is significant   
   potential risk in exposing ancillary information, Fowler stressed.   
   Hypothetically, attackers could use internal information (such as names,   
   emails, and user IDs) to target staff or accounts with credential stuffing,   
   phishing, or other social engineering attempts, with the goal of gaining   
   further access to sensitive internal systems, files, or member data.    
      
   Therefore, customers are advised to be extra vigilant when receiving email   
   messages and other communication claiming to come from NFCU.    
      
    Via Website Planet   
      
   ======================================================================   
   Link to news story:   
   https://www.techradar.com/pro/security/largest-us-credit-union-leaked-potentia   
   lly-sensitive-information   
      
   $$   
   --- SBBSecho 3.28-Linux   
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)   
   SEEN-BY: 105/81 106/201 128/187 129/14 305 153/7715 154/110 218/700   
   SEEN-BY: 226/30 227/114 229/110 111 206 300 307 317 400 426 428 470   
   SEEN-BY: 229/664 700 705 266/512 291/111 320/219 322/757 342/200 396/45   
   SEEN-BY: 460/58 712/848 902/26 2320/0 105 304 3634/12 5075/35   
   PATH: 2320/105 229/426