Canadian Money Transfer App Duc Exposes Thousands of Customers' Sensitive Documents via Unsecured Amazon Server

The Canadian money transfer app Duc exposed thousands of customers' sensitive documents, including driver's licenses and passports, due to an unsecured Amazon-hosted server. The misconfigured server allowed unrestricted access to the data without requiring authentication. The exposure was discovered in April 2026, though the exact duration of the vulnerability remains unclear. The incident specifically impacted users of the fintech service based in Canada. No CVE ID was mentioned in relation to the misconfiguration. The breach highlights the risk of improperly secured cloud storage containing personally identifiable information.