Unsecured Database Linked to Navy Federal Credit Union Exposed Online

Cybersecurity researcher Jeremiah Fowler has revealed a significant data exposure involving a massive, unprotected database potentially linked to Navy Federal Credit Union (NFCU)—the largest credit union in the United States serving military personnel, veterans, and their families.

In his report, Fowler explained: “I discovered and reported to Website Planet about an unencrypted and non-password-protected database that contained 378 GB of backup data.”

The database, which was publicly accessible, included 14 backup files in .gz, .sql, and .twbx formats. Fowler noted: “In a limited sampling of the exposed files, I saw internal users’ names, email addresses, and what appeared to be hashed passwords and keys.”

Operational metadata, system logs, and sensitive business logic—such as product tiers, optimization processes, and rate structures—were also exposed.

While the records were not confirmed to belong directly to NFCU, Fowler observed: “Information from the name of the database and internal files suggests the records belong to Virginia-based Navy Federal Credit Union.”

With $180.8 billion in assets and 14.5 million members, NFCU is the largest credit union in the U.S. and primarily serves the military community. Fowler responsibly disclosed the exposure, after which the database was restricted within hours. However, he reported: “I did not receive any reply to my responsible disclosure notice.”

Although Fowler did not find plain-text member data, the risks are serious. He warned: “Attackers could use internal information (such as names, emails, and user IDs) to target staff or accounts with credential stuffing, phishing, or other social engineering attempts.”

Even more concerning, the exposed Tableau workbook documents (.twbx) contained database table names, field structures, server details, and KPI formulas tied to NFCU’s financial performance. This metadata could serve as a blueprint for attackers to map internal systems.

Fowler explained: “Even incomplete backup data could provide criminals with a roadmap to access the full dataset.”

Fowler noted that “any data breach of a third-party vendor or contractor’s environment could have the same effects as a direct compromise.”

His advice to organizations: “Treat all backup data the same as live production data. Encrypt all backup files using modern encryption algorithms such as AES-256, and never store encryption keys in the same database as the backup files.”

Related Posts:

• Rockerbox Data Leak Exposes 245,949 Records: SSNs, Driver’s Licenses, Military IDs Leaked from Unsecured Cloud
• Zhao’s Bribes Unveiled: Selling US Navy’s Critical Secrets
• Europol Cracks Down on European Document Forgery and Smuggling Ring
• Sync-Scheduler Malware: Unveiling a Sophisticated Espionage Attack
• ENISA Calls for Urgent Action as EU Cyberattacks Reach Record High