- Indian mortgage firm Vivifi has reportedly suffered an information breach
- 36 million recordsdata have been left uncovered
- These consisted primarily of personally identifiable data (PII)
A number one digital lending app has apparently uncovered delicate buyer information after a misconfigured Amazon AWS S3 was bucket left unsecured with out authentication.
Cybernews researchers found mortgage supplier Vivifi left 36 million recordsdata of Know Your Buyer (KYC) paperwork open on-line. The first threat after an information breach is that criminals will use your data to use for bank cards, loans, or financial institution accounts in id theft or fraud schemes – so a mortgage firm having buyer data compromised would make it nearly too simple for cybercriminals.
Included within the leak have been passports, ID playing cards, driving licenses, utility payments, financial institution statements, and mortgage settlement letters, amongst different issues – right here’s what we all know to this point.
Ongoing investigation
Researchers found the leak on November 28, 2024, and the bucket wasn’t closed till January 16, 2025, that means criminals had over a month to search out and entry the information – though there’s no proof to counsel any did – solely an inside forensic audit would decide this.
Know Your Buyer (KYC) paperwork are utilized by monetary establishments to make sure they adjust to laws and legal guidelines on the subject of proof of id, handle, and revenue. Sadly although, that is all a cybercriminal would want to take out a mortgage in a sufferer’s identify, or to craft significantly compelling social engineering assaults.
“As an illustration, attackers might use leaked mortgage settlement particulars or financial institution data to request pressing funds or account verification,” Cybernews researchers mentioned.
“In some circumstances, these private particulars will be aggregated and bought on the darkish internet, additional escalating the hazard and complicating efforts for victims to guard their privateness and safe their identities,” the workforce added.
Information breaches are all too widespread, and fintech companies aren’t immune. Earlier in 2025, Mexican FinTech agency Miio suffered the same information breach which uncovered hundreds of thousands of recordsdata of delicate information – though considerably fewer than the Vivifi leak.
Critical threat for purchasers
This information breach is, sadly, the right alternative for an attacker. The KYC paperwork are precisely what cybercriminals have to facilitate id theft and fraud. With the figuring out paperwork and personally identifiable data (PII), attackers can take out a mortgage, bank card, or create new financial institution accounts in your identify.
To remain secure from this, the secret is staying alert and monitoring your accounts. There are id theft safety plans for people and for households, which primarily do the monitoring for you, and infrequently present $1 million or extra in insurance policy, in addition to darkish internet monitoring and anti-malware software program – which will be very tough to arrange by yourself.
If you wish to do the monitoring your self, maybe you haven’t been straight impacted by a breach however need to keep protected – then listed here are the issues to maintain a watch out for.
First, is your financial institution statements, accounts, and transactions – should you see any suspicious exercise, alert your financial institution instantly and freeze or pause your card should you can.
Subsequent, create a robust and safe password for every particular person account, or at the least for those which maintain monetary, well being, or delicate data – and if a service you utilize is concerned in a breach or cyberattack, be sure you change the password right away.
Though it’s a ache, enabling multi-factor authentication or MFA is a good added layer of safety in opposition to intruders, so for these accounts with delicate data – it is important.
When PII is leaked, there’s at all times an added hazard of social engineering assaults like phishing, which is able to use the information from the breach to find out which companies you utilize repeatedly, what your pursuits are, and even your family and friends.
From there, attackers will ship an electronic mail impersonating one of many above, and can trick you into clicking a malicious hyperlink, scanning a QR code, or handing over your particulars to them.
Be looking out for any surprising communications, and look carefully on the sender of emails – should you’re unsure, then don’t press any hyperlinks, and search up what the reliable electronic mail handle could be – or contact the corporate straight via their web site.
Bear in mind, your financial institution won’t ask you on your account particulars over the cellphone or via electronic mail – and so they received’t ask you to switch your funds to a special account.