Millions of users of Turkey’s most popular finance applications may have had their private data exposed after researchers discovered an unprotected MongoDB database containing over four million sensitive financial records.
The Cybernews research team traced the leak back to two widely used apps, FinansCepte and FinansWebde, which serve more than a million users across Turkey. Both apps provide services for financial tracking, market analysis, and personal investment management.
While the duration of the exposure is unknown, the lack of security on the database leaves open the strong possibility that cybercriminals may have already accessed the records. As researchers noted, attackers actively scan the internet for unsecured databases, and if investigators located this one, there is a high likelihood that malicious actors found it too.
Cybernews reached out to the company behind the applications, Pasyonis Medya ve Bilişim Ticaret, but at the time of publishing, no response was received.
Researchers Trace Exposed Records to Two Widely Used Turkish Finance Apps
The unprotected database tied to FinansCepte and FinansWebde exposed multiple categories of sensitive user data, including:
- Usernames
- Email addresses
- Phone numbers
- Partial payment information
- Hashed passwords
- Financial alert settings
What the Exposed Database Contained and Why It Matters
Leaking this type of financial data carries serious risks. Usernames, emails, and phone numbers can be used in phishing attacks designed to trick users into revealing additional personal or financial information.
Although the leaked passwords were hashed, they could still be exploited in credential stuffing or brute-force attacks, where attackers attempt to reuse them across different platforms.
The exposure of financial alert settings also carries unique consequences. Attackers could potentially manipulate alerts, feeding users false notifications or silencing real ones at critical times, creating opportunities for fraud and financial harm.
How a Simple Misconfiguration Became a Large-Scale Exposure
Cybersecurity experts point out that leaving a database unprotected—without even a password—is typically the result of a basic misconfiguration. Such mistakes are common but have repeatedly led to severe breaches affecting financial applications worldwide.
According to Cybernews researchers, these missteps may look minor, but when unchecked, they can spiral into incidents impacting hundreds of thousands or even millions of users.
Potential User Impact and Abuse Scenarios Observed in Similar Cases
The exposure of financial data leaves users vulnerable to multiple cyberattacks:
- Phishing Campaigns: Attackers impersonating the apps could request users to “reset” their credentials, stealing login details in the process.
- Account Takeovers: Hashed passwords, when cracked, could be reused across multiple platforms, leading to broader identity theft.
- Alert Manipulation: By tampering with notification settings, attackers could mislead users about market conditions or silence warnings.
Company, Apps, and Timeline Context
Both FinansCepte and FinansWebde, operated by Pasyonis Medya ve Bilişim Ticaret, are among Turkey’s most widely adopted tools for individuals tracking markets and managing investments. The leaked database contained over four million financial data records, but details remain unclear about how long the data was exposed or whether unauthorized parties accessed it.
Other Financial App Data Breaches Show a Repeatable Pattern
This is not the first time financial technology platforms have suffered from large-scale misconfigurations.
- In 2024, Cybernews discovered a major exposure at Nigerian fintech company BestFin, which runs the iCredit app. The leak revealed data on 846,000 customers, including emergency contacts and private SMS messages that the app was quietly collecting.
- Around the same period, Uruguay-based digital banking platform Bankingly left exposed data from seven financial institutions, compromising the personal details of nearly 100,000 individuals across South and Central America.
These recurring incidents highlight an industry-wide issue: financial apps handling vast amounts of sensitive personal information often leave it unprotected due to basic configuration errors.
Current Status and What Is Known Now
The exposed database linked to FinansCepte and FinansWebde remains a serious security concern. While researchers discovered the flaw, the company behind the apps has not yet commented publicly or confirmed whether it has secured the database. Until then, millions of Turkish users remain uncertain about the safety of their financial data.
