The security of Germany-based financial loan company Kreditech has been probed by a group of hackers, who grabbed a considerable amount of sensitive information belonging to customers and posted it online.

It appears that this action was taken in order to prove the low cyber security the company relies on, despite the multi-million investments it enjoys.

Kreditech investigates inside leak incident

Security blogger Brian Krebs says that the online location from the information was revealed is hidden in TOR anonymity network. Its administrators made the data public saying one of the hackers, part of a group called “A4” explained that the company’s security was “absent.”

It appears that the hackers found “hundreds of gigabytes” of documents gathered by Kreditech from its customers or potential clients, including scanned passports, driver’s licenses and national IDs.

An investigation into the incident was started by the financial company, who believes that the data belongs only to credit applicants. Regardless if the owners loaned engaged in business with Kreditech or not, the information is highly sensitive and it can be used by cybercriminals for malicious operations.

Kreditech head of communication Anna Friedrich told Krebs that the company had an internal security incident back in November 2014, which is currently investigated by the Hamburg police.

This would suggest that the files reached public space due to an inside leak, not a hacking event.

“All data to which the group А4 got access will be put online in open access although its curb price is rather considerable,” the Tor hidden website said.

Logs from a MongoDB system found

Krebs learned of the leak from security researcher Corey Wells, who developed a crawler that indexes websites in Tor.

The researcher informed that the data included logs from a machine that may have been running MongoDB, an open-source, document-oriented database compatible with multiple operating systems.

Poor configuration of this database could expose confidential data if the machine running it is open to the Internet.

In February 2015, three students from Saarland University in Germany discovered that almost 40,000 MongoDB machines lacked the proper security settings and allowed access to Mongo shell to unauthorized parties outside the network.

During their research, the students were able to reach information such as names, addresses, emails and credit card numbers of customers of a French telecommunications provider as well as payment data from a German online retailer.

Kreditech operates in nine countries (Germany and the US are not among them), offering credit to millions of customers, and seeks constant expansion to new regions. Recently, the company secured a $200 / €182 million credit from Victory Park Capital.

[UPDATE]: Anna Friedrich contacted us with some clarifications about the incident, saying that the data affected was from the caching system of Kreditech's website, where only applicant information resides on a temporary basis, so customers are not impacted.

Furthermore, Friedrich said that the hackers' claims about Kreditech's systems being insecure are not correct:

“When we learned from the incident in summer (August) 2014 we involved the Hamburg state police and conducted intensive security tests involving external experts. They verified highest security standards and confirmed that the Kreditech system cannot be accessed from externally - not today and also not in the past. This led to the experts to conclude that an external hack had not occurred,” Friedrich added via email.