Grey hat security researchers have discovered new flaws in the systems of Panama leak firm Mossack Fonseca.

A self-styled “underground researcher” claims to have found a SQL injection flaw on one of the corporate systems of the Panamanian lawyers.

“They updated the new payment CMS, but forgot to lock the directory /onion/,” he said via the “1x0123” Twitter profile.

Mossack Fonseca specialises in helping its clients to set up firms in tax havens such as the British Virgin Islands. The leak of its client information as part of the Panama Papers has created a huge political stink

The lawyers informed clients in early April that the leak to journalists has been traced back to a hack on its email server, rather than a whistleblower. Its apparent failure to adequately lock down its systems is surprising in the circumstances.

“It looks like MF [Mossack Fonseca] had really very low security level, [such] that hackers continue to hack them for fun,” a security intelligence source who notified us of the claimed vulnerability told El Reg.

In between flagging up security issues with Mossack Fonseca, the same hacker has been busy over the last week attacking major media outlets, such as the LA Times and New York Times, and offering to sell access to insecure systems at NASA, among other hi-jinks.

The same hacker (1x0123) contacted Edward Snowden, notifying him of some bugs on one of his projects. Snowden acknowledged the bug report on the Freedom of the Press Foundation website on Sunday. ®