Over half a million highly sensitive legal and financial documents have been leaked online by a US loans company after another cloud configuration error.

Security researchers at vpnMentor led by Noam Rotem found the database in an unsecured Amazon Web Services (AWS) S3 bucket at the end of December.

It appears to be linked to a smartphone app known as MCA Wizard, developed by New York-based fintechs Advantage Capital Funding and Argus Capital Funding, which vpnMentor claimed were likely owned by the same company.

They are said to provide “merchant cash advances” (MCAs): controversial high-interest loans for small businesses and start-ups.

However, although the database URL contained the words “MCA Wizard,” the app is no longer available and most files bore no relation to the project. Even as the researchers discovered and tried to contact the firms, without success, new files were apparently being uploaded to the database.

The 425GB trove contained highly sensitive customer information including credit reports, bank statements, driver’s licenses, Social Security info, tax returns, scanned checks, purchase orders, and much more.

With this information, attackers could launch highly convincing phishing attacks, attempt check and financial fraud, target victim companies with malware, or even sell the data on the dark web, warned vpnMentor. The leak could even be investigated under the new California Consumer Privacy Act (CCPA), it claimed.

“This leak raises serious credibility and trust issues for Advantage and Argus. By not sufficiently securing this database and revealing so much information, they have compromised the safety, privacy, and security of their clients, partners, and customers,” the firm said.

“Those affected may take action against Advantage and Argus for doing so, either from ceasing to do business with either company or possibly pursuing legal actions. Both would result in considerable loss of clients, contracts, business relationships, and ultimately, revenue.”

After receiving no reply from the database owners, the researchers went direct to AWS, which promptly corrected the privacy snafu on January 9.