🚨 🇻🇪 Sensitive Data Exposure at the Venezuelan Football Federation (FVF)

The Venezuelan Football Federation (FVF) maintained a publicly accessible storage system that exposed sensitive information belonging to several football clubs, including:

Club licenses for teams such as Club Carabobo FC, Dynamo Puerto F.C., and Titanes FC.

COMET player registration files from Club Carabobo FC.

Tax returns and contracts.

What specific data was exposed in the COMET files?

Full names, national ID numbers, phone numbers, email addresses, and home addresses.

This vulnerability was responsibly reported on April 6 via email and through the official complaints/reporting section on the FVF website.

The exposed storage was blocked on April 17.

However, as of today, I have not received any from the FVF.

In the last few hours I've learned that the FVF is looking for human capital in cybersecurity.

If this hadn't been reported, it might still have been active and could have put players' data at risk.

#databreach #Venezuela #cybersecurity #incidentresponse

🇧🇩 Today I'm going to talk about Bondstein Technologies Limited, a company based in Dhaka, Bangladesh. One of their servers was found to be completely open and unprotected.

Bondstein Technologies Limited is a Dhaka-based technology company specializing in Internet of Things (IoT) solutions and frontier technologies. Founded in 2014, it has established itself as a leading player in Bangladesh for vehicle tracking, industrial automation, and smart connectivity.

What data was exposed?

On December 26, 2025, I discovered that the server was exposing a 22 GB SQL backup file. According to the file timestamps and metadata, this backup appears to have been publicly accessible since at least July 2025.Among the files in the backup was users.sql, which contained the following sensitive fields:

username, customer_name, First_name, Last_name, Phone_number, Additional_contact-number, email, password.

*I was able to confirm that some of the employee names were real.

Additional findings:

The exposed server's IP resolved to a properly certified HTTPS server using a subdomain under .bondstein.net. The same IP also hosted a login portal (which I did not attempt to access).With this information, we were able to accurately identify the owner and submit a responsible disclosure.

Notification:

All of this was detailed in the email I sent to several Bondstein employees on December 26, 2025. When I checked again on January 5, 2026, the exposure had been fully closed. I followed up via email to inquire about any possible reward. On January 6, they replied with the following message:

Hi Chum1ng0,

Thank you for your responsible and detailed disclosure regarding the open directory issue on our server. We sincerely appreciate you taking the time and effort to notify us of this vulnerability, which allowed us to address it quickly. Your commitment to ethical research is truly valued. We want to confirm that the issue has been fixed and access has been restricted. We would also like to clarify that the server you identified is a staging server kept for internal purposes, and not a production environment. Regarding your request for a reward, we currently do not have an official bug bounty program in place. However, we are grateful for your help in securing our infrastructure.

We appreciate your patience and look forward to potentially collaborating in the future should we establish a formal program.

Sincerely
Bondstein

-NOT REWARD-

#VDP #responsibleDisclosure #misconfigurations #Bangladesh #cybersecurity #bondstein

In summarizing my responsible disclosures this semester, 42 organizations were notified (via email or web form).

✅15 closed their exposed data.

❌27 organizations acted irresponsibly in handling their data.

#cybersecurity #research #security #infosec

Another day of closed data breach:

🇦🇪 Today we're talking about a commercial enterprise located in the United Arab Emirates. This information came from an IT service provider for Dubai Duty Free called touchworldtechnology.

Dubai Duty Free (DDF) is a retail operation at Dubai International Airport (DXB) and Al Maktoum International Airport (DWC), recognized worldwide as one of the largest and most successful duty-free shops in the world.

What data was exposed?

An open directory containing 90GB of information was exposed at the time, likely due to an error or misconfiguration.

While reviewing the folders, I found data that shouldn't have been publicly exposed. According to my information, this data had been exposed since the beginning of the year. I discovered it in early September, so imagine how long it had been exposed.

What files did that open directory contain?

At first, I saw Excel spreadsheets, invoices, test invoices—irrelevant things—but as I continued, I saw passports -id cards, which started to worry me. I also saw an env file containing the entire MySQL database configuration with its username and password, as well as the configuration of the bucket on digitaloceanspaces.com with its access key and secret.

So, someone backup the bucket and left it exposed?.

Notification:

I sent an email to DDF on September 3rd warning them about this situation. When I saw that no one responded, I sent an email to the AE Computer Emergency Response Team (AECERT) on September 5th. No one replied, but on September 10th, I received an email thanking me for my concern and saying they would forward the email to the appropriate department.

This was closed on September 13th, according to my follow-up.

#cybersecurity #AE #databreach #infosec

@PogoWasRight

Another day of closed data breach:

🇱🇰 This time it's a Sri Lankan insurance company, Continental Insurance Lanka Limited (https://cilanka.com), which has 58 branches across Sri Lanka. This extensive branch network is designed to provide close and convenient service to its customers nationwide.

Continental Insurance offers a wide range of personal and business insurance solutions.

Personal Insurance

Motor Vehicle Insurance
Health Insurance
Home Insurance
Travel Insurance

Business Insurance

Fire and Property Insurance
Engineering Insurance
Marine and Cargo Insurance
Liability Insurance
Employee-Related Insurance

This insurer exposed an open directory of 1.70GB in size with data in XLSX and JSON formats. This was exposed from the beginning of 2025—imagine how long it was exposed.

Among the exposed data were files called "claims" in JSON format. This reviewed file contained 3,657 medical insurance claim records.

What data do the files contain?

Employee/Patient, Internal CEA Reference, Reason for consultation,
Claim Type, Claimed Amount, Amount Not Paid, Amount Finally Paid, Consultation Date, Date the Insurance Company Was Notified, Payment Date, Hospital/Clinic, Check Number, Status.

But where were the insured parties in this file from?

From the Central Environmental Authority (CEA), https://www.cea.lk, the leading institution for environmental protection and management in the country.

Notification:

I notified the company on November 2nd via email to inform them of the situation and the information I was providing.

This matter was closed on November 5th without a response from the insurer.

I also didn't see any announcement on their website warning about this situation. Did the insurer notify the CEA (Central Environmental Authority of Sri Lanka) about the information I provided? We don't know, and we won't know, since no one responded to my emails.

#cybersecurity #Srilanka #insurance #databreach #government #infosec

@PogoWasRight

Reviewing my old notes and checking if the issue was still present, I sent a responsible disclosure last year to:

🇷🇼 The Rwanda Rural Rehabilitation Initiative (RWARRI) is a Rwandan non-governmental organization (NGO) dedicated to improving the social and economic well-being of rural communities.

At that time, an S3 bucket containing at least 14,000 files was exposed. Therefore, I sent an email to the organization explaining the situation: ID cards, vouchers, letters, invoices, etc.

You can see in the sample a file of an attendance sheet for a meeting of an agricultural project in Rwanda, that sheet contained personal data such as names and surnames, Rwandan national identity card number, Sex, Telephone, Organization, signature.

According to my records, this was sent on November 25, 2024. I also attached the email to the National Cyber ​​Security Authority of Rwanda (ncsa.gov.rw).

*Today, access to the bucket is denied, I received no response from either entity.

#cybersecurity #infosec #Rwanda #Africa #databreach #news

@PogoWasRight

Happy Thanksgiving

@PogoWasRight

Dear Chum1ng0,

Thank you for getting in touch and highlighting the recent security issue on our platform. We appreciate the responsible way you disclosed the details and your efforts to help us maintain a secure environment.Our team has reviewed the issue you identified and yesterday implemented a fix.At present, we don't have a formal reward or bounty programme in place, but we genuinely appreciate the time and care you took to bring this to our attention. Responsible disclosures like yours play an important role in improving overall platform security.

Kind regards,

*This was sent by a company located in Ireland, thank you for taking the time to write this email.

#infosec #cybersecurity

A server was exposing backups of files from the ENIP (National Public Integrity Strategy), which belongs to the Ministry of the General Secretariat of the Presidency. These files totaled 3.94 GB, as shown in the sample.

* Sample of the exposed "Index of". According to my records, it could have been exposed since 2024, more than a year ago.

* The files contained emails from meetings and workshops, for example, this one here: Names and emails exposed.

* Another file contained a very small SQL backup file, but it contained exposed emails and passwords from the Ministry of the General Secretariat of the Presidency.

* I sent an email to ANCI and an email to Minsegpres to block this access, and it was blocked the next day.

notifying

* ANCI responded to my email:

As the National Cybersecurity Agency, we appreciate your cooperation and the information provided. We will take the appropriate actions and notify the administrators of the affected institution.

Thank you again for your time and willingness to help.

*What I learned: if you look very carefully you can get a big surprise like these emails and passwords in plain sight.

#government #Chile #infosec #cybersecurity #databreach #leak

🇭🇺 Today I solved an unsecured server in Hungary, the problem was solved thanks to HunCERT.

#cybersecurity #Hungary #HunCERT #research