Cybersecurity researcher Jeremiah Fowle uncovered a major data breach involving Willow Pays, a fintech company specializing in AI-powered payment solutions.
The exposed database, which was not password-protected or encrypted, contained over 240,000 sensitive records belonging to customers and internal accounts.
What Was Exposed?
The database, containing 241,970 records, included folders labeled as bills, repayment schedules, account inconsistencies, mailing lists, screenshots, and more. A closer examination of the documents revealed sensitive customer details such as names, email addresses, credit limits, and account statuses. One spreadsheet alone detailed information about 56,864 individuals, categorizing them as active customers, prospects, or blocked accounts.
Willow Pays offers users a system to finance bills by spreading payments over four weeks, charging a service fee based on income instead of a credit score. Users upload bills and link their bank or debit accounts to facilitate payments. The database exposure put this sensitive customer data at potential risk.
Fowler promptly reported the breach to Willow Pays, and the database was secured shortly after. However, no formal acknowledgment or response was received from the company. It remains unclear how long the database was exposed or whether unauthorized access occurred before it was secured. Only a thorough forensic audit could determine if any suspicious activities took place.
