Two cashback sites leaked data of 3.5 million users

Photo by Kevin Ku on Unsplash

Two popular cashback services have leaked nearly two terabytes worth of personally identifiable information (PII) and account data in an unprotected Elastic database. The two cashback websites have been operating mostly in the United Kingdom and India. 

Cybersecurity experts from the Security Detectives Research team discovered an unprotected Elasticsearch database containing at least two terabytes worth of PII and account information of Pouringpounds.com and Cashkaro.com.

The two sister sites are operating in the U.K. and India, and are both owned by Pouring Pounds Ltd. The leak has affected approximately 3.5 million individuals. 

The researchers said that the database has been online since August 9, 2019, and can be found just by searching for it in a specific port. 

“The elastic server was publicly exposed without any password protection. Searching at a specific port, anyone could find it easily and take advantage of it maliciously. From what we can see, it was exposed since August 9, 2019,” the disclosure blog post from Security Detectives read. 

According to the Head of the team, Anurag Sen, he and his colleagues have found that cashback and voucher websites Cashkaro.com and Pouringpounds.com have both made available key details about their active users. 

Pouringpounds.com, which has over a million users, has exposed account details such as username and passwords of its users, putting them in a vulnerable position where they can be targeted by a credential stuffing attack. Other information leaked by the website include: 

  • Full names,
  • Phone numbers,
  • Email addresses,
  • Login credentials to the platform
    • Username
    • Plaintext password
  • Bank details linked to account from the site
    • Email
    • Name of the account holder
    • Bank name
    • Account number
    • Sort code (routing numbers)
  • Emails from Pouringpounds to their users,
  • IP addresses

“On PouringPounds.com – a site with over a million users – the username and plaintext passwords stored mean that anybody could easily take over the entire account, including the amount of credit they have in their wallet on the site,” the researchers said. The team also highlighted that someone with access to the database could log in to any user’s account and transfer wallet balance to any PayPal account of their choice as all a malicious actor needs in order to execute the transaction is a password which is provided for in the unprotected database. 

Meanwhile, similar information was also disclosed in the database containing the data of 2.5 million registered users of Cashkaro.com. The leaked data includes:

  • Full names,
  • Phone numbers,
  • Email addresses,
  • Login credentials to the platform
    • Username
    • Plaintext password
  • Bank details linked to account from the site
    • Account holder name
    • Bank name
    • Branch
    • Account number
    • IFSC code
    • Bank account related password (we cannot be certain what it is used for, but unencrypted passwords are being linked with the bank details)
  • Emails from Pouringpounds to their users,
  • IP addresses

The researchers added that after their investigation, which started September 2, they had contacted the company in order to get the database closed. However, they only was able to receive a reply from the security team of the company on September 21, and the database leak was closed the same day. 

Be the first to comment on "Two cashback sites leaked data of 3.5 million users"

Leave a comment

Your email address will not be published.


*