Inovatyon security flaw leaks thousands of KYC docs
Is it too much to expect basic security from MLM underbelly schemes?
From the anonymous owner(s) of Inovatyon, apparently so.
Inovatyon launched late last year in Brazil. The scheme sees affiliates pay hundreds of dollars for Invayton affiliate membership, with commissions paid upon recruitment of new affiliates.
Once Inovatyon management figured they’d collected most of the affiliate membership fees they were likely to get, the next step was restricting withdrawal requests.
This saw Inovatyon introduce KYC, wherein thousands of affiliates uploaded highly sensitive identification documents.
Rather than store this information securely however, Inovatyon instead dumped them onto a publicly accessible web-server.
No login, no passwords, no security. Anyone with a web browser had access to the KYC documents of every single Inovatyon affiliate.
The leak was first publicized by Piramidation, a scamwatch blog published in Portuguese, on December 25th.
When you open the link, you see a page that would leave anyone stunned: a huge list comes up with thousands and thousands of documents with personal information of the “franchisees” of Inovatyon!
Thousands of CNHS, identity cards, SSNs, water and electricity bills, birth certificates, work permits, correspondence, professional identities, etc.
Piramidation claim the leak has revealed several well-known Brazilian pyramid scheme regulars to be Inovatyon affiliates. Some of whom had not previously acknowledged their participation.
As at the time of publication, public access to the leaked KYC documents appears to have been revoked. Inovatyon however have not addressed the security leak on either their website or official corporate Facebook page.
Such caches of information are typically a goldmine for identity thieves, with the lack of security surrounding Inovatyon’s KYC documents simply mind-boggling.
Sure it’s funny to joke about scammers getting scammed, but what about those who might have joined innocently?
I suspect as more and more MLM underbelly schemes begin utilizing KYC as a method of restricting withdrawals, we’re probably going to see more of these stories surface.
Those participating in such schemes might want to think about just how much they really trust the companies they’re sending KYC documents into.
here copy of documents:
web.archive.org/web/20151220174437/http://52.20.110.208/crm/webservice/MMN_Realiza/documentos/
“Upload your ID” had been used many times before, including TVI Express and Wazzub.
Web hosting (leaked) documents has the same fav icon as other pyramid scam World Global Network:
nolink://web.archive.org/web/20140531144619/http://home.worldgn.com/lang/en/?u=
Strange coincidence?
BTW, man behind World was also the “president” of other scam called TELME, which was popular in Latin & South America.
World was reviewed here:
nolink://behindmlm.com/companies/global-mobile-network-review/
Inovatyon leak update:
piramidation.com/daniel-fernandes-esperneia-mas-gracas-a-piramidation-inovatyon-bloqueia-acesso-livre-aos-documentos-de-seus-franqueados/