A major data leak exposed the personal information of potentially hundreds of thousands of users of the Duc App, a money-transfer service. An unsecured and unencrypted Amazon storage server, discovered by security researcher Anurag Sen, was publicly accessible without a password. It contained over 360,000 files including driver’s licenses, passports, selfies, and spreadsheets with customer names, addresses, and transaction details dating back to 2020.
The app’s owner, Toronto-based Duales, secured the data after being alerted by TechCrunch. CEO Henry Martinez González called it a “staging site” but did not explain why live customer data was exposed. The company would not say if it knows who accessed the data. Canada’s privacy regulator is now seeking information from the company.
This incident highlights a growing trend where apps collect sensitive identity documents but fail to properly secure them, following similar leaks from other services like TeaOnHer and Discord.