Navy Federal Credit Union Backup Exposed in AWS Misconfiguration

A misconfigured cloud storage bucket left hundreds of gigabytes of internal data from Navy Federal Credit Unionexposed online, according to cybersecurity researcher Jeremiah Fowler. The unencrypted Amazon S3 bucket, discovered in May, contained 378GB of backup files linked to the world’s largest credit union.

Fowler found 14 internal backup files in formats such as .gz, .sql, and .twbx that included usernames, email addresses, hashed passwords, encryption keys, and system-level data like business logic, financial metrics, and database structures. No member data appeared in plain text.

While Fowler did not attempt to decrypt any credentials, he warned the exposed information could serve as a blueprint for attackers, offering insights into Navy Federal’s operations, potential vulnerabilities, and internal processes. "Anytime a financial institution potentially exposes how their systems work, it poses serious risks,” he told Information Security Media Group.

The bucket included identifiers such as "NavyXXX_Backup", and email addresses that Fowler was able to link to Navy Federal employees through LinkedIn. One of the exposed SQL dumps was dated May 29, though it’s unclear how long the data had been publicly accessible.

After the discovery was reported, access to the files was restricted within hours. Navy Federal did not respond directly to Fowler, but in a later statement to ISMG, a spokesperson clarified the breach stemmed from a vendor-managed system, not Navy Federal’s own infrastructure. “Navy Federal data and systems remain safe,” the spokesperson said.

The incident underscores the growing risks of misconfigured cloud services. Recent reports highlight how attackers exploit AWS features for ransomware attacks. Gartner predicts that by 2025, nearly half of all organizations will suffer some form of supply chain compromise, with annual costs expected to hit $138 billion by 2031.