A cybersecurity breach at Direct Trading Technologies (DTT), a major fintech company, has exposed the sensitive data of over 300,000 traders, leaving them vulnerable to account takeover and other attacks.

The leak, discovered by Cybernews researchers, involved a misconfigured web server containing backups and development code linked to DTT.

Critical information compromised:

• Email addresses and plaintext passwords (potentially employee passwords)
• Hashed passwords for trader accounts on the DTT platform
• Partial credit card details, home addresses, and phone numbers for some clients
• Locations of Know Your Customer (KYC) documents and other metadata
• White-label service client credentials, including database locations and commission percentages
• Internal comments from the outreach team, including derogatory remarks about clients

Potential consequences:

• Account takeover: Leaked data can be used to gain unauthorized access to trader accounts and steal funds.
• Phishing and identity theft: Personal information can be used to launch targeted phishing attacks or commit identity theft.
• Malware and credential stuffing: Leaked IP addresses and credentials can be used for further attacks.

Concerns around white-label service:

• The leak could impact clients of other firms using DTT’s white-label service, although additional steps would be needed for attackers to access their databases.

Lessons learned:

• This incident highlights the importance of robust cybersecurity measures for fintech companies handling sensitive financial data.
• Traders are prime targets due to the potential value in their accounts, making them especially vulnerable to cyberattacks.
• Companies offering white-label services need to implement additional security measures to protect client data.

Additional notes

• The information about leaked passwords should be handled with caution, avoiding specific details to prevent misuse.
• The derogatory remarks by the outreach team raise ethical concerns and should be addressed by the company.