Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to Website Planet about a non-password-protected database that contained over 240,000 records belonging to Willow Pays — a payment software company offering AI software solutions to allow users to finance bills and other payments.
The publicly exposed database was not password-protected or encrypted. It contained 241,970 records. There were folders inside the database indicating bills, mailing lists, account inconsistencies, repayment schedules, screenshots, settings, and snapshots. In a limited sampling of the exposed documents, I saw records that included names, email addresses, credit limits, and other internal information. One single spreadsheet document contained the details of 56,864 individuals, indicating if they were prospects, active customers, or blocked accounts.
The name of the database as well as the documents inside it indicated that the records belonged to the financial technology company called Willow Pays or Willow. The service offers a bill pay management system that spreads payments over 4 weeks and charges customers a fee to finance expenses based on income and not a credit score. The platform allows customers to upload their bill and personal details, then Willow approves or denies the request and offers users to link their debit or bank account and pay a service fee. Willow pays the user’s bill in full. It then collects the first installment from the user’s card or bank account and schedules weekly payments to Willow until the full amount is paid back.
I immediately sent a responsible disclosure notice to Willow Pays, and the database was restricted from public access soon after. I did not receive any reply to my notification. It is not known if the database is owned and/or managed by Willow Pays directly or managed via a third-party contractor. It is also not known how long the database was exposed before I discovered it or if anyone else gained access to it. Only an internal forensic audit could identify additional access or potentially suspicious activity.
This screenshot shows how the records looked that contained the user’s name, email address, phone number, and details about bank accounts, tokens, transaction amounts and more.
This screenshot shows a spreadsheet document that contains customer information, email addresses, account IDs, types of bills, companies that payments are made to, and other internal tracking data.
This screenshot shows a redacted receipt that contained the card type, partial credit card number, account number, and amount charged.
This screenshot shows an example of an electric bill / disconnect notice that contains the user’s name, home address, account number, web access number, and other details.
This screenshot shows an example of the bills that customers uploaded for Willow Pays’ payment services. This one is a phone bill that indicates all calls and text messages to and from the customer’s phone account. ❮❯
×
Creditors often give borrowers more than they can afford. According to a 2024 survey by NerdWallet, nearly 40% of Americans were charged some type of late payment fee on their bills over the previous 12 months. The Consumer Financial Protection Bureau capped credit card late fees in 2024, but the ruling does not cover expenses such as utilities, auto loans, or other debts. Furthermore, the 2024 Verizon Data Breach Investigations Report indicates that 95% of data breaches are financially motivated — an increase of nearly 24% since 2019. These statistics show that cyberattacks on financial institutions and payment applications are increasingly more common. It is important to note, however, that this data reflects broader trends across the industry and does not suggest specific vulnerabilities or breaches within any particular organization.
The techniques and methods are also becoming more sophisticated. Any database misconfiguration that exposes sensitive payment or bank information could pose significant potential risks, as it could provide criminals with valuable information that could be combined with fraud tactics. I am not representing that Willow Pay’s data, or that of their users were ever at risk or compromised in any manner. I am only providing a general observation of potential cybersecurity risks as it relates to the exposure of financial information.
My advice to anyone who believes that their information has been compromised in a data breach is to:
Monitor your financial accounts for unauthorized activity or suspicious charges. Many banks and credit card providers offer fraud alert services that can help identify unauthorized charges or new accounts that are opened without the knowledge of the card holder. It is also a good idea to review your personal credit reports at least 1-2 times a year to identify unrecognized or new accounts. In the unfortunate event you are a victim of identity theft you can request a freeze on your credit to prevent new accounts from being opened in your name.
Change passwords for potentially affected accounts. Using strong unique passwords and enabling two-factor authentication wherever possible is the first and most basic step for account security.
Always be cautious of phishing scams. Never give out your personal or financial information over the phone or by email without verifying the request is legitimate. Avoid transmitting information via non official communication channels.
Criminals often use information that has been previously exposed to trick potential victims into sharing additional sensitive data. In this case, the exposed names, phone numbers, email addresses, and partial credit card numbers could hypothetically provide fraudsters with all of the necessary information they could use to create highly believable phishing schemes or social engineering attempts.
Similarly, scanned images of bills could potentially contain far more information than simply names, physical addresses, and account numbers. Knowing specific details of the services the user is being billed for could be used as a blueprint for invoice fraud. The exposure of account data could potentially help criminals to gain unauthorized access to user accounts with utility providers or other important services that could potentially further compromise the personal privacy of those individuals.
Knowing legitimate account numbers and personal details could provide criminals with enough information to create highly targeted spear-phishing emails that leverage real billing data to build trust. As a hypothetical example, let’s say a criminal knows there is a bill that is past due or that there is disconnection of service notice. The criminal could offer the user to settle the debt for less if they provide their credit card or banking information over the phone or by email. The user would have no reason to doubt the fraudulent request because of the combination of their accurate personal information, correct account data, and bill status that theoretically no one else should know except for the creditor, merchant, and the customer. I am not implying that Willow Pays’ customers are at risk of any type of fraud attempts or threats to their identity, I am only proving a real world risk scenario for informational purposes.
My recommendations for financial software providers would be to take proactive cybersecurity measures to prevent unauthorized access to their internal networks or storage environments. This would include, but not be limited to:
Encrypting sensitive financial data and ensuring that cloud storage databases are secure, properly configured, and data is not publicly accessible. When sensitive data is encrypted, it is more difficult for unauthorized individuals to exploit information in the unfortunate event of a data breach or malicious intrusion.
Conducting regular security audits and vulnerability testing can help identify and fix issues before they become a critical issue.
Implementing multi-factor authentication (MFA) and user behavior analytics can provide an additional layer of security for applications, web portals, and even internal database access, protecting accounts even if user credentials are compromised.
Educating users on how to recognize phishing attempts and the importance of creating strong access controls. Protecting users from the risk of social engineering attacks and phishing benefits both the service provider and the end-user.
I imply no wrongdoing by Willow Pays, and I do not claim that internal data or user data was ever at imminent risk. The hypothetical data-risk scenarios I have presented in this report are exclusively for educational purposes and do not reflect any actual compromise of data integrity. It should not be construed as a reflection of any organization’s specific practices, systems, or security measures. No part of this report should be interpreted as implying a deficiency or vulnerability within Willow Pays or any of its affiliated entities.
As an ethical security researcher, I do not download the data I discover. I take a limited number of screenshots solely for verification purposes. I do not conduct any activities beyond identifying the security vulnerability and notifying the relevant parties. I disclaim any responsibility for actions that may be taken as a result of this disclosure. I publish my findings to raise awareness on issues of data security and privacy. My aim is to encourage organizations to proactively safeguard sensitive information against unauthorized access.
Jeremiah Fowler is a Security Researcher and co-founder of Security Discovery. Jeremiah began his career in security research in 2015 and has a mission of data protection. He has helped identify and secure the data of millions of people around the world. His discoveries have been covered in Forbes, BBC, Gizmodo, among others. Security and responsible disclosure are not only a passion, but a way of protecting our digital lives.
Thank you, - your comment was submitted successfully!
We check all user comments within 48 hours to make sure they are from real people like you. We're glad you found this article useful - we would appreciate it if you let more people know about it.
Share this blog post with friends and co-workers right now:
Thank you, , your comment was submitted successfully!
We check all comments within 48 hours to make sure they're from real users like you. In the meantime, you can share your comment with others to let more people know what you think.
Thank you for signing up!
Once a month you will receive interesting, insightful tips, tricks, and advice to improve your website performance and reach your digital marketing goals!
