Close Menu
TechTost
  • AI
  • Apps
  • Crypto
  • Fintech
  • Hardware
  • Media & Entertainment
  • Security
  • Startups
  • Transportation
  • Venture
  • Recommended Essentials
What's Hot

Meta enters the crowded AI coding fray with Muse Spark 1.1

Elon Musk says X will send DMs when posts you’ve interacted with are fixed

AI chip maker SambaNova raises $1 billion at $11 billion valuation, 5 months after last mega round

Facebook X (Twitter) Instagram
  • About Us
  • Contact Us
  • Privacy Policy
  • Terms and Conditions
  • Disclaimer
Facebook X (Twitter) Instagram
TechTost
Subscribe Now
  • AI

    Meta enters the crowded AI coding fray with Muse Spark 1.1

    13 July 2026

    Can AI answer the $3 trillion question?

    12 July 2026

    OpenAI shuts down Atlas, but AI browser ambitions keep growing

    12 July 2026

    OpenAI bets on families as ChatGPT goes deeper into households

    11 July 2026

    Meta removes controversial AI feature on Instagram after backlash

    11 July 2026
  • Apps

    Elon Musk says X will send DMs when posts you’ve interacted with are fixed

    13 July 2026

    ‘Slow-cial’ Roost app forces you to slow down to the speed of a carrier pigeon

    12 July 2026

    Character.AI is entering the micro-drama arena with its own productions, but there’s a twist

    12 July 2026

    A new app, HyperTexting, turns the open web into a social media scrolling-like stream

    11 July 2026

    Apple is suing OpenAI for alleged trade secret theft

    11 July 2026
  • Crypto

    Venice AI goes unicorn with $65M Series A as first privacy AI platform takes off

    1 July 2026

    Crypto Exchange OKX wants AI agents to hire and pay each other

    30 June 2026

    Startup Battlefield 200 applications close today

    27 May 2026

    5 days left: Save up to $410 on Disrupt 2026 passes

    25 May 2026

    As crypto cools, a16z crypto raises $2.2 billion in capital

    6 May 2026
  • Fintech

    Don’t want to invest in Elon Musk? Two new ETFs expressly exclude him

    10 July 2026

    India’s payments chief believes artificial intelligence will play a big part in the next era of digital payments development

    28 June 2026

    Early Bird pricing ends tonight for the Founder Summit

    26 June 2026

    4 days left to save up to $190 on Founder Summit 2026

    23 June 2026

    Robinhood’s note on 10% layoffs shows that blaming AI doesn’t cut it

    17 June 2026
  • Hardware

    Meta’s new AI chips will begin production in September

    12 July 2026

    This slush machine was a lifesaver during the New York heat wave

    12 July 2026

    Dumb Co dared me to exchange my iPhone for a hacked phone

    11 July 2026

    SK Hynix raises $26.5 billion in largest foreign public IPO in US history, set to build new fabs in US

    11 July 2026

    After Apple, smartphone manufacturing boom in India enters new phase with Vivo JV

    10 July 2026
  • Media & Entertainment

    Netflix could be planning “always on” live TV channels.

    11 July 2026

    Netflix is ​​dealing with shorter video content with its new set of publisher deals with Variety and others

    8 July 2026

    Netflix invented binge watching. Now he may be over it.

    7 July 2026

    New Google ad imagines a Declaration of Independence written with the help of artificial intelligence

    4 July 2026

    Cloudflare’s new policy pushes AI companies to pay for publishers’ content

    1 July 2026
  • Security

    US cybersecurity agency CISA had to create the incident guide during the incident, the agency reveals

    11 July 2026

    Florida ransomware dealer convicted of helping ransomware gang extort US companies

    10 July 2026

    Hacktivists call out Trump by hacking and defacing US military websites

    8 July 2026

    Canada’s spy agency says it hacked drug traffickers, extremists and a ransomware gang last year

    6 July 2026

    Politician who investigated abuses of wiretapping software on his phone with Pegasus spyware

    3 July 2026
  • Startups

    AI chip maker SambaNova raises $1 billion at $11 billion valuation, 5 months after last mega round

    12 July 2026

    Hot French startup ZML releases free product to speed up inference on multiple AI chips

    12 July 2026

    Former OpenAI executive Kevin Weil is now on Stoke Space’s board

    11 July 2026

    Phia Accused of ‘Cookie Stuffing’, Taking Affiliate Credit for Unearned Purchases

    11 July 2026

    Oratomic raises $300M to build sustainable quantum computer that only needs 20,000 qubits

    10 July 2026
  • Transportation

    TechCrunch Mobility: A robotaxi ultimatum

    12 July 2026

    Slate Auto partners with Crayola to paint its EV truck

    10 July 2026

    Autonomous drone delivery startup Manna plans major US expansion

    9 July 2026

    Federal authorities are demanding that autonomous vehicle companies stop interfering with first responders

    9 July 2026

    Another massive data breach exposed millions of driver’s license numbers

    8 July 2026
  • Venture

    Filed Under: College Fizz App Accuses VC Of Sharing Confidential Startup Info With Rival Sidechat

    11 July 2026

    Charles Hudson shares the common mistakes he’s seen after investing in 500+ startups

    10 July 2026

    Nandan Nilekani steps down as GP at Fundamentum as it launches third $200m fund

    9 July 2026

    What are bending spoons? The little-known owner of AOL and Vimeo who is now public

    5 July 2026

    After $18B IPO, Bending Spoons Founder Says Success Comes From Minimizing Luck

    2 July 2026
  • Recommended Essentials
TechTost
You are at:Home»Security»Money transfer app Duc has exposed thousands of driver’s licenses and passports to the open web
Security

Money transfer app Duc has exposed thousands of driver’s licenses and passports to the open web

techtost.comBy techtost.com2 April 202604 Mins Read
Share Facebook Twitter Pinterest LinkedIn Tumblr Email
Money Transfer App Duc Has Exposed Thousands Of Driver's Licenses
Share
Facebook Twitter LinkedIn Pinterest Email

A publicly accessible storage server hosted by Amazon allowed anyone with a web browser to access the personal data of potentially hundreds of thousands of people without needing a password. This included driver’s licenses, passports and other personal information collected by the Duc app, a money transfer service owned by Toronto-based Duales.

The Canadian fintech company said it resolved the data leak on Tuesday after TechCrunch alerted its CEO that one of the company’s cloud storage servers was publicly displaying its content, without a password.

The data was also stored unencrypted, meaning that anyone with a link to the data could see it in full.

Anurag Sen, security researcher at CyPeace which discovered the security flaw earlier in the week, contacted TechCrunch in an attempt to notify the owner of the data. Sen said anyone could view and download the data using their browser just by knowing the easy-to-guess web address of the storage server.

According to Sen, the storage server hosting Amazon listed more than 360,000 files containing government-issued documents and other information used by customers to verify their identity through “know your customer” checks. These files included selfies that users uploaded to prove their likeness in the real world.

TechCrunch was unable to ascertain the exact number of exposed driver’s licenses and passports. However, several folders in the exposed bin contained tens of thousands of user-uploaded files, a sample of which listed driver’s licenses, passports and selfies.

Duales advertises its app as a way for users to send money to other users, including foreigners in Cuba and elsewhere. Of Android App Listing on the Google Play app store it shows more than 100,000 user downloads till date.

The files, which dated back to September 2020 and were uploaded daily, also contained spreadsheets of customers’ names, home addresses and the dates, times and details of their transactions.

When reached by email, Duales CEO Henry Martinez González told TechCrunch that the data was stored on a “stage site,” referring to a site used primarily for testing, but did not explain why customers’ personal information was publicly accessible in the same database.

“All the protection measures are in place,” Martinez González said. “We are notifying the appropriate parties. We have not outsourced any services from you.”

After TechCrunch emailed the company, the files on the storage server became inaccessible, although a list of the server’s contents is still visible.

Martinez González would not say whether the company had the technical means, such as logs, to determine who or how many people had access to the data.

The Duc App website appeared briefly below on Thursday and showed a “bad port” error.

It is unclear how or why Duales left the storage server hosting Amazon publicly open to the Internet. In recent years, Amazon has added security controls to prevent users from inadvertently exposing their data online following a series of high-profile incidents where several corporate giants such as an American spy agencypublished sensitive data to the web due to misconfigurations.

When TechCrunch reached out to the app’s owner, Canada’s privacy regulator said it was seeking more information from the company.

“The Office of the Privacy Commissioner of Canada has reached out to the company to obtain more information and determine next steps,” a spokesperson for the regulator told TechCrunch via email, declining to comment further.

The Duc app is the latest in a list of recent security vulnerabilities that involve exposing other people’s sensitive identity data. This data exposure comes as apps and websites increasingly require their users to upload government-issued documents to verify who they say they are, but without taking enough steps to secure the data they collect.

Last year, the popular app TeaOnHer exposed thousands of its users’ passports and driver’s licenses, which the app required users to upload before allowing them to enter the app’s closed community. Discord last year also confirmed a data breach that affected about 70,000 government-issued documents uploaded by users trying to verify their age, amid a global push to enact online age verification laws.

app Canada cyber security data report drivers Duc Exclusive exposed Fintech licenses Money money transfer open passports Thousands transfer web
Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
Previous ArticleDifferent teams start with different VCs
Next Article OpenAI acquires TBPN, the popular founder-led business talk show
bhanuprakash.cg
techtost.com
  • Website

Related Posts

‘Slow-cial’ Roost app forces you to slow down to the speed of a carrier pigeon

12 July 2026

Hot French startup ZML releases free product to speed up inference on multiple AI chips

12 July 2026

OpenAI bets on families as ChatGPT goes deeper into households

11 July 2026
Add A Comment

Leave A Reply Cancel Reply

Don't Miss

Meta enters the crowded AI coding fray with Muse Spark 1.1

13 July 2026

Elon Musk says X will send DMs when posts you’ve interacted with are fixed

13 July 2026

AI chip maker SambaNova raises $1 billion at $11 billion valuation, 5 months after last mega round

12 July 2026
Stay In Touch
  • Facebook
  • YouTube
  • TikTok
  • WhatsApp
  • Twitter
  • Instagram
Fintech

Don’t want to invest in Elon Musk? Two new ETFs expressly exclude him

10 July 2026

India’s payments chief believes artificial intelligence will play a big part in the next era of digital payments development

28 June 2026

Early Bird pricing ends tonight for the Founder Summit

26 June 2026
Startups

AI chip maker SambaNova raises $1 billion at $11 billion valuation, 5 months after last mega round

Hot French startup ZML releases free product to speed up inference on multiple AI chips

Former OpenAI executive Kevin Weil is now on Stoke Space’s board

© 2026 TechTost. All Rights Reserved
  • About Us
  • Contact Us
  • Privacy Policy
  • Terms and Conditions
  • Disclaimer

Type above and press Enter to search. Press Esc to cancel.