Financial institutions rely on third-party vendors for communication and customer engagement platforms, but these dependencies can quietly introduce serious cybersecurity risks. CloudSEK’s Supply Chain Monitoring platform, SVigil, uncovered exposed credentials belonging to a key supplier of a major banking entity. These credentials granted access to a centralized communications portal, exposing sensitive customer data, call recordings, and critical cloud infrastructure.

SVigil’s timely discovery enabled proactive risk mitigation, preventing misuse of sensitive cloud configurations and millions in operational credit—safeguarding both infrastructure and customer trust.

The Discovery

During continuous scanning for vendor-related threats, CloudSEK’s SVigil platform detected compromised credentials belonging to employees of a third-party communication service provider. These credentials granted access to the Central Portal, a vital interface used for campaign orchestration, contact center operations, and cloud infrastructure configuration.

The exposed access led to the discovery of a severe data breach affecting prominent banking entities, including access to critical systems and sensitive data of major banking entityBank. The breach risked operational disruption, data theft, and unauthorized communication with customers.

Key Findings

Platform Affected: Central Portal of a Communication Service Provider
Modules Exposed: Flows, Campaigns, Emergency Notifications, Reports, Setup, Cloud Accounts
Critical Exposure:

• USD 3Million in credit balance.
• Credentials for 32 cloud service accounts across AWS, GCP, and Azure.
• GCP service accounts with elevated privileges (Owner/Editor roles).
• Access to sensitive call recordings and transcripts.
• Ability to send bulk SMS/email to over 50K users.

‍

Technical Analysis

‍

Source of Credentials: Credential dump on dark web.

Portal Features & Risks:

• Dashboard Overview: Visualizes metrics on outbound/inbound calls, SMS, emails.
• Call Queues Module: Routes calls to agents. Malicious access could allow redirection to fraudulent call centers.
• Dynamic Agents: Add/manage agents. A breach here enables full manipulation of contact center operations.
• Campaign Flows: Configure communication flows such as IVR and autodialers.
• Cloud Accounts: Credentials for 32 cloud accounts found. Developer tools exposed sensitive files such as client.json with GCP service keys.
• Risk of Abuse: Four accounts had Owner-level access and one with Editor-level. Malicious actors could exfiltrate or delete sensitive data and tamper with infrastructure.

Exposed GCP Service Accounts (Examples):

• supplier-software-verified-sms
• pcpl-speech-to-text
• clicktocall
• central-awspoc
• Testing-agent-1-mrdmlr

Samples from pcpl-speech-to-text Storage Bucket:

• Sensitive call recordings (e.g., loan discussions, debit card block requests).

‍

• Associated transcripts stored in plain text.

Business Impact

• Exposed Employee Credentials: Threat actors leveraged leaked credentials to gain unauthorized access to internal systems and dashboards.
• Unsecured Cloud Storage Access: Sensitive assets such as call recordings and transcripts were left exposed in cloud buckets without proper access controls.
• Privileged Service Account Misuse: High-privilege GCP service accounts were accessible, increasing the likelihood of data exfiltration and infrastructure compromise.
• EDR Failure Enables Unauthorized Access: Endpoint Detection and Response (EDR) solutions failed to detect abnormal access patterns, allowing persistent threat actor activity.
• Lack of MFA Increases Credential Attack Risks: Absence of multi-factor authentication (MFA) on the supplier portal elevated the risk of successful credential-based attacks.

‍

SVigil’s Security Recommendations

• Immediate Credential Revocation: All exposed employee credentials must be immediately revoked to prevent unauthorized access.
• Strengthen Cloud Security Configurations: Secure cloud resources by applying strong access control policies, removing hardcoded credentials, and encrypting sensitive files.
• Tighten Cloud Access Controls: Review and restrict cloud IAM roles; minimize use of high-privilege roles such as Owner or Editor.
• Deploy EDR to Prevent Unauthorized Persistence: Ensure a robust EDR system is in place to detect, block, and alert on suspicious user behavior and anomalous access.‍
• Mandatory 2FA Across All Sensitive Portals: Enforce multi-factor authentication for all users accessing sensitive infrastructure and dashboards to reduce the likelihood of credential abuse.