Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to Website Planet about an unencrypted and non-password-protected database that contained 378 GB of backup data. The data contained references to the largest credit union serving military members and their families.The database held storage locations, keys, hashed passwords, and other internal potentially sensitive information.
The publicly exposed database was not password-protected or encrypted. It contained 14 files in .gz, .sql, and .twbx file formats, totaling 378.7 GB. In a limited sampling of the exposed files, I saw internal users’ names, email addresses, and what appeared to be hashed passwords and keys. The backup files also revealed what appeared to be operational metadata, system logs, and business logic such as codes, product tiers, optimization processes, rate structures, and other data that should not have been publicly accessible.
Information from the name of the database and internal files suggests the records belong to Virginia-based Navy Federal Credit Union (NFCU). This is the largest credit union in the United States both in asset size (an estimated $180.8 billion) and in membership (14.5 million members). I immediately sent a responsible disclosure notice to NFCU, and the database was restricted from public access within hours of my reporting and is no longer accessible.
I did not receive any reply to my responsible disclosure notice. Although the records appeared to belong to NFCU, it is not known if the database was owned and managed directly by them or by a third-party contractor. It is also not known how long the database was exposed before I discovered it or if anyone else may have gained access to it. Only an internal forensic audit could identify additional access or potentially suspicious activity.
According to their website, Navy Federal Credit Union is a member-owned and not-for-profit credit union exclusively serving the military, veterans, and their families. NFCU offers membership to service members in all branches of the armed forces, including active duty members of the Army, Marine Corps, Navy, Air Force, Coast Guard, National Guard Space Force, Veterans, retirees, and annuitants.
This screenshot shows “users” with role privileges. The records indicate names, email addresses in plain text, and what appeared to be hashed data strings.
This screenshot shows how the files appeared in the publicly exposed database.
This screenshot shows potentially sensitive files that could provide details about internal structure, schemas, and other internal information.
This screenshot shows items marked and KEYs and FOREIGN KEYs with identifiers.
This screenshot shows “password history” followed by hashed data strings and timestamps.❮❯
×
Although I did not see member data in plain text, there are significant potential risks in exposing other types of ancillary information that provides additional insight into the internal systems of a financial institution. Hypothetically, attackers could use internal information (such as names, emails, and user IDs) to target staff or accounts with credential stuffing, phishing, or other social engineering attempts, with the goal of gaining further access to sensitive internal systems, files, or member data. Details about the overall network, file names, server names, and configuration data could potentially provide criminals with a roadmap for future attempts to identify and exploit vulnerabilities or lateral movement once inside the network.
Another potential concern would be the risk of threat actors identifying what third-party software or services are being used by the organization to attempt supply chain attacks. In a 2023 report, Gartner predicted that by 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains. This would represent a global annual cost to businesses of an estimated $138 billion by 2031. I am not saying that NFCU, their members, affiliates and/or vendors are or were ever at risk of these types of threats. I am only providing a hypothetical real-world risk scenario for cybersecurity awareness and educational purposes.
Inside the database, I saw numerous Tableau workbook documents (.twbx). Tableau is a data visualization and business intelligence platform that helps users connect to data sources and analyze information. The XML-based files define the structure, data connections, calculations, and layouts of dashboards and reports. These files also contained what appeared to be the connection and server details to the underlying databases (in this case, MySQL tables). There also appeared to be key performance indicators (KPI) formulas tied to Navy Federal Credit Union’s financial performance and loan portfolio metrics.
The XML files revealed database table names, field structures, server connection details, and the environment where the workbook is published. Although these tables did not contain member PII, the scenario comparison logic could expose potentially sensitive operational details such as lending performance, process efficiency ratios, profits, and much more. Additionally, this information could hypothetically serve as a blueprint for how internal users interact with the credit union’s scenario comparison data.
This screenshot shows an example of an XML document that includes calculation formulas and the repository location address marked as “Prod” (which likely stands for “production”).
Generally, when a backup dump is created, it often encodes binary data into text formats that can be easily stored or transferred. Meanwhile, actual file data, large binary objects, or other information may be stored elsewhere in the system or segmented outside of the network. The logic is that when the dump .sql file is imported back into a database server, it executes the contained SQL commands and recreates the database exactly as it was when the dump was made. These files can sometimes be just a representation of the production data, but they still may reveal underlying structures or metadata that indicate how the backup software associates or connects these files to production systems.
Most backup or replication software has configuration scripts that indicate where and how to reconnect the representation files to the “real” data they reference. These files would likely be contained in a blob storage repository, bucket, file server, etc. In a worst-case hypothetical scenario, if criminals obtain backup dump files and know how the backup software connects to a specific database or storage path, they could potentially gain access to actual production data.
When internal data is exposed, each file could contain valuable information that can serve as a puzzle piece to create a more complete picture of the network, functions, and overall operations of an organization. This could create a potentially dangerous scenario where even incomplete backup data could provide criminals with a roadmap to access the full dataset. I am not saying that NFCU’s data is or was ever at risk of this type of exposure or attack. I am only providing a hypothetical scenario of how backup data dumps could pose a potential risk that identifies where sensitive information is stored and how it could be reconnected or restored.
My advice to any organization that regularly creates backups and data dumps is to treat all backup data the same as live production data. These dumps often contain references to potentially sensitive data that could be a valuable target for criminals. So, it is a good idea to encrypt all backup files using modern encryption algorithms (such as AES-256). This way, even if there is a data incident, the files are not human readable without decryption. While even encryption cannot guarantee 100% protection, it can add a valuable layer of security. Never store encryption keys in the same database as the backup files and, when possible, use a dedicated key management system. Conduct regular access audits to ensure that backup repositories are not misconfigured to allow public access.
Another good idea is to log and monitor every read, write, or restore operation so that an alert is triggered and suspicious activity can be identified fast. In many cases, organizations rely on third-party vendors and contractors, and it is important to know how they handle, collect, and store their client’s data. I recommend organizations that outsource technology services regularly audit vendor security protocols, policies, and procedures. Any data breach of a third-party vendor or contractor’s environment could have the same effects as a direct compromise (depending on what type of data is exposed). So, it is important to know how they will secure the data they have access to.
I imply no wrongdoing by Navy Federal Credit Union, or its employees, agents, contractors, affiliates, and/or related entities. I do not claim that any internal, employee, customer, or user data was ever at imminent risk. The hypothetical data-risk scenarios I have presented in this report are strictly and exclusively for educational purposes and do not reflect, suggest, or imply any actual compromise of data integrity. It should not be construed as a reflection of or commentary on any organization’s specific practices, systems, or security measures.
As an ethical security researcher, I do not download, retain, or share any data I discover. I only take a limited number of screenshots when necessary and solely for verification and documentation purposes. I do not engage in any activities beyond identifying the security vulnerability and, where possible, notifying the relevant parties involved. I expressly disclaim any and all liability for any and all actions that may be taken as a result of this disclosure. I publish my findings to raise awareness of issues of data security and privacy. My aim is to encourage organizations to proactively implement measures to safeguard sensitive information against unauthorized access.
Website Planet’s Recent Publications
At Website Planet we work with an experienced team of ethical security research experts who uncover and disclose serious data leaks. Recently, cybersecurity expert Jeremiah Fowler discovered and disclosed a non-password protected database which exposed 38 GB of files displaying hundreds of thousands of names, physical addresses, phone numbers, email addresses, and other potentially sensitive information apparently belonging to IMDataCenter.
He also found another unsecured database that contained over 900k records that appears to belong to Ohio Medical Alliance, an organization that helps individuals obtain physician‑certified medical marijuana cards.
Jeremiah Fowler is a Security Researcher and co-founder of Security Discovery. Jeremiah began his career in security research in 2015 and has a mission of data protection. He has helped identify and secure the data of millions of people around the world. His discoveries have been covered in Forbes, BBC, Gizmodo, among others. Security and responsible disclosure are not only a passion, but a way of protecting our digital lives.
Thank you, - your reply was submitted successfully!your comment was submitted successfully!
We check all user comments within 48 hours to make sure they are from real people like you. We're glad you found this article useful - we would appreciate it if you let more people know about it.
Share this blog post with friends and co-workers right now:
Thank you, , your comment was submitted successfully!
We check all comments within 48 hours to make sure they're from real users like you. In the meantime, you can share your comment with others to let more people know what you think.
Thank you for signing up!
Once a month you will receive interesting, insightful tips, tricks, and advice to improve your website performance and reach your digital marketing goals!
