InfoSecBulletin Cybersecurity for mankind
Cybersecurity researcher Jeremiah Fowler found an unsecured database with 245,949 records, reported to vpnMentor. It likely belonged to a tax credit consulting agency and contained personal information such as PII, driver’s licenses, military discharge forms, Social Security numbers, and other sensitive documents.
The database was unprotected and held 245,949 records totaling 286.9 GB. I noticed that it included sensitive personal information in plain text, such as names, addresses, email addresses, dates of birth, and Social Security numbers. Additionally, it contained driver’s licenses, ID cards, Social Security cards, tax credit documents with job and salary details, and eligibility determination letters.
Node.js Flaws Expose Windows Apps to Path Traversal & HashDoS Attacks
Broadcom fixes multiple vulnerabilities in VMware ESXi, Workstation, and Fusion
Oracle Patched 309 Vulnerabilities with 145 Remotely Exploitable Flaw
Microsoft Extends 365 Support Until 2028 with ESU Program
Meta’s $100B AI Push: Gigawatt-Size Data Centers Spark Water Crisis
4 vulns impact Gigabyte motherboards to UEFI malware bypassing Secure Boot
Wing FTP 2000+ Servers Exposed Online: Actively Exploiting
CVE-2025-7503 (CVSS 10)
Backdoor in popular IP Camera Allows Hackers Root Access
(CVE-2025-25257)
Patch Urgently! Exploits for pre-auth Fortinet FortiWeb RCE flaw released
GP launched appless ‘GP Shield’ to protect mobile for only 50 TK
The database had DD214 forms, which are similar to certificates confirming a veteran’s military service. Along with these public records, it also included many password-protected PDF files labeled as “forms.” The filenames included personal information like the employer’s name, the applicant’s full name, a numeric code, and document number.
Jeremiah Fowler revealed that internal files suggested the records were linked to Rockerbox, a Texas company. Rockerbox specializes in tax credit consulting, helping businesses boost cash flow by managing employer-focused tax incentives such as the Work Opportunity Tax Credit (WOTC), Employee Retention Tax Credit (ERTC), R&D credits, and Empowerment Zone credits. The company is located in Dallas and serves clients nationwide.
Fowler said, after sending a responsible disclosure notice to Rockerbox the database was restricted from public access several days later and no longer accessible.
Rockerbox serves various industries, including restaurants, hospitality, healthcare, temporary staffing, trucking, manufacturing, warehouses, food processing, skilled trades, and golf courses.
In a 2024 report by Experian, the FTC recorded over 1.1 million identity theft claims and managed around 2.6 million fraud cases, resulting in losses over $12.7 billion. I want to clarify that I am not suggesting Rockerbox’s clients or their employees are at risk of fraud or have had their data compromised. I’m only discussing potential risks associated with exposed personal data.
Android malware Anatsa infiltrates Google Play targeting banks worldwide
