A publicly exposed database (appearing to be in association with the Navy Federal Credit Union), exposed 378.7 GB of information. 

The database was discovered by Cybersecurity Researcher Jeremiah Fowler, who sent a responsible disclosure notice but has not yet received any correspondence from the organization. However, the database has since been restricted and is no longer accessible.

While the data appears to belong to the credit union, it is unknown if the database itself belongs to the institution or if it is owned and managed by a third-party. Furthermore, it is currently not known how long the database was exposed, nor if any malicious actors gained access to it. 

Some exposed data includes: 

• User names
• Email addresses 
• Hashed passwords and keys

Fowler also found exposed backup files, including operational metadata and system logs. Business logic was also found, including codes, optimization processes, product tiers, rate structures and more. 

With the exposed data, a malicious actor could — hypothetically — perform numerous actions. By leveraging names, emails or user IDs, the actor could enact credential stuffing, phishing or other social engineering attacks, possibly compromising sensitive internal systems or information. Another potential threat would be supply chain attacks, if the actor is able to identify third-party software or services utilized by the organization.