The Chicago-based financial technology company Willow—which pays customers’ bills upfront and allows them to repay in four weekly installments—left over 240,000 private records exposed online, the Daily Dot has learned.
The data, discovered in a non-password-protected database by cybersecurity researcher Jeremiah Fowler, includes approximately 241,970 files related to everything from sensitive customer data to payment schedules.
One spreadsheet file in particular, according to Fowler, contains details on 56,864 individuals labeled as prospects, active customers, or former customers who were blocked. A screenshot provided to the Daily Dot also shows records that include apparent customer names, email addresses, phone numbers, transaction amounts, and limited bank account information.
Receipts from customers uploaded to the database show credit card data, including card types and partial credit card numbers, as well as home addresses. Even one customer’s T-Mobile phone bill, which lists all calls and text messages to and from the account, was present in the data.
Fowler said he immediately contacted Willow to report the exposure but never received a reply. Shortly after, however, Fowler said the exposed database was changed to block public access.
“It is not known if the database was owned and managed by Willow directly or managed via a third-party contractor,” Fowler said. “It is also not known how long the database was exposed before I discovered it, or if anyone else gained access to it.”
Fowler has published a detailed analysis of his findings.
The Daily Dot reached out to Willow to inquire about the exposure but did not receive a reply by press time.
Fowler warns that given all the unknowns, customers could potentially be facing significant risks due to the exposure of sensitive payment and banking information.
“I am not representing that Willow Pay’s data, or that of their users were ever at risk or compromised in any manner,” Fowler stressed. “I am only providing a general observation of potential cybersecurity risks as it relates to the exposure of financial information.”
Fowler is urging customers of Willow who believe their data may have been compromised to monitor their financial accounts for unauthorized activity, change any passwords on accounts tied to Willow, and be wary of phishing attempts.
“The exposed names, phone numbers, email addresses, and partial credit card numbers could hypothetically provide fraudsters with all of the necessary information they could use to create highly believable phishing schemes or social engineering attempts,” Fowler added. “Similarly, scanned images of bills could potentially contain far more information than simply names, physical addresses, and account numbers. Knowing specific details of the services the user is being billed for could be used as a blueprint for invoice fraud.”
Internet culture is chaotic—but we’ll break it down for you in one daily email. Sign up for the Daily Dot’s web_crawlr newsletter here. You’ll get the best (and worst) of the internet straight into your inbox.
