Millions of people in Turkey who use popular finance apps may be at risk after researchers uncovered an unsecured database containing sensitive user information, the Cybernews technology news outlet reported on Wednesday.
According to Cybernews, its research team found an open MongoDB database with more than 4 million records linked to FinansCepte and FinansWebde, two widely used apps for financial tracking and investment management. The apps are operated by Pasyonis Medya ve Bilişim Ticaret.
The exposed data included usernames, email addresses, phone numbers, partial payment details, hashed passwords and financial alert settings, Cybernews said.
It remains unclear whether the database was accessed by malicious actors or how long it had been left unsecured. Cybernews noted that attackers frequently scan the internet for unprotected databases, meaning the information could already have been copied before researchers found it.
The company behind the apps did not respond to Cybernews’ request for comment before publication.
Cybersecurity experts say exposures of this kind leave users vulnerable to a range of attacks. Stolen data can be used in phishing campaigns, in which attackers impersonate trusted services to trick people into giving away credentials. Even though the passwords were stored in hashed form, they could still be exploited in automated “credential stuffing” attacks to break into other accounts.
Misuse of alert settings could also allow attackers to manipulate financial notifications, potentially misleading users about market movements or account activity.
Cybernews said the lapse was likely due to a configuration error — a common but dangerous mistake that has caused several major data exposures worldwide in recent years.
In 2024 Cybernews discovered an unprotected database linked to Nigerian financial technology company BestFin, which operates the iCredit app, exposing the information of more than 800,000 people. Another exposure involving Uruguay-based digital banking platform Bankingly revealed the data of nearly 100,000 users across South and Central America.
Cybernews stressed that while a confirmed breach of the Turkish data has not been established, the scale of the exposure and the nature of the information involved make it a serious security risk.