76,000 Fingerprints Were Exposed: How Can Hackers Use Them?

Using a fingerprint instead of a password can seem like a safer option because it is more difficult to obtain a fingerprint. However, losing it to hackers is much worse because unlike passwords, fingerprints are unique and cannot be replaced. Therefore, it is only natural that companies storing login information related to fingerprints are expected to take all available safety precautions. Unfortunately, not all companies do so as a Brazilian organization called Antheus Tecnologia exposed thousands of fingerprints and other sensitive information due to a failure to protect the server on which the breached data was stored. Consequently, thousands of sensitive user records are now in the hands of cybercriminals. If you want to know more about what happened and how hackers can exploit fingerprints, we invite you to read our full blog post.

Antheus Tecnologia specializes in development of Automated Fingerprint Identification Systems or AFIS in short. Its products are used not just by companies in Brazil but also around the world. Thus, it is no wonder that the organization has such a huge database of fingerprints and other sensitive information.

The server on which the breached database was stored allows users to log into the server’s system as well as register new users. According to cybersecurity experts from Safetydetectives.com, who discovered the data breach, enabling such access to a server is rather unusual because it places it at risk. Also, experts say that storing people’s actual fingerprints instead of keeping only hashes of them was also a mistake. As you see, a hash of a fingerprint cannot be reverse engineered, so unlike actual fingerprints, they would be worthless to attackers.

Sadly, the failure of Antheus Tecnologia to secure their server resulted in 81.5 million of records being leaked. To be more precise, 76 thousand of the leaked records were unique fingerprints. Also, the data breach exposed employee email addresses and telephone numbers. To make matters worse, researchers noticed another vulnerability in Antheus Tecnologia systems that might have allowed hackers to obtain biometric information like face recognition data. Specialists say that the breach has been secured so hackers should not be able to access more of the company’s records.

What can you do if your fingerprint got exposed?

As said in the beginning, you cannot change your fingerprint as you can change a password. However, if, for example, your mobile device was protected with a fingerprint up till now, you could remove it and set up a strong password instead. It might feel like a step back as using fingerprints is thought to be more secure, but if you come up with a strong password, it should be difficult to crack it. If you do not think you can come up with a complex combination yourself, why not let a tool like Cyclonis Password Manager to generate strong passwords for you? If you want to learn more about our password manager, you could read here.

Depending on the device, you might be able to use a print of any finger instead of a password. Thus, if one of your fingerprints gets compromised, you could replace it with a print of your other finger. This option is not ideal either as using your other fingers might be not as comfortable as using your thumb or your index finger. Still, it could be solution to your problems if you have an exposed fingerprint and fear that someone could misuse it. Of course, whether hackers will be able to exploit stolen fingerprints does not depend solely on victims of the fingerprint data breach. All the companies that used Antheus Tecnologia fingerprint scanners and other devices should take action to ensure that the exposed fingerprints could not be misused.

On the other hand, even if cybercriminals cannot take advantage of stolen data right now, they can store exposed fingerprints and wait till such an opportunity arrives because unlike passwords or other sensitive information, biometric data will never lose its value.

How can hackers exploit fingerprints?

Depending on the fingerprint reader, a hacker could bypass it by placing a piece of paper with the exposed fingerprint picture printed on it. If the device is more sophisticated, hackers could try to make a 3D print instead. A successful attempt could help attackers gain access to a building, a device, or an account. For example, cybercriminals could try to gain unauthorized access to systems of the companies that used the exposed fingerprints.

Truth be told, fingerprints alone might be less useful because some systems require a password or other data too. However, if the attackers obtain the additional information, they could combine it with the exposed fingerprints and use it to commit various financial crimes, steal identities, blackmail victims, organize sophisticated phishing attacks, and so on. In other words, hackers can exploit fingerprints in many ways. Therefore, users of exposed fingerprints should be extra careful. Specialists recommend making sure that your visited websites are secure, taking extra safety precautions like adding strong passwords or enabling Two-Factor authentication, avoiding suspicious emails, and not to provide any sensitive information unless it is necessary.

To conclude, the mistakes of Antheus Tecnologia placed thousands of people’s identities at risk. Not to mention, the data breach might have given hackers the needs to gain unauthorized access to various systems, buildings, and devices. All we can hope is that the company will learn from their mistakes and choose safer solutions in the future for ensuring the safety of biometric data. Perhaps the incident will encourage other organizations that deal with such sensitive information to do better as well. As for regular users, we advise using fingerprints over passwords only when it is necessary as exposed fingerprints can do a lot of damage.