Attack on Polish Loan Platform SuperGrosz Data Breach

By Ash K
Attack on Polish Loan Platform SuperGrosz Data Breach

SuperGrosz, a Poland-based online loan platform run by AIQLABS, disclosed a major security incident that exposed sensitive personal and financial data for thousands of customers. National authorities have opened investigations. This advisory provides a technical summary, likely impact, detection and hunting guidance, and an action plan for security teams and incident responders.

Incident overview and timeline

On or around late October and early November 2025, SuperGrosz detected unauthorized access to parts of its customer database and reported the theft of sensitive records affecting tens of thousands of users. The company notified Polish CSIRTs and data protection authorities and began notifying affected customers. Public reporting places the initial discovery and public disclosure in early November 2025.

Authorities and industry reporting indicate this incident occurred amid a wave of coordinated cyberattacks targeting Polish digital services, which included both data exfiltration and service disruption across several organizations.

What the attackers took and why it matters

Reportedly exfiltrated data includes customer names, identification numbers, tax numbers, phone numbers, addresses, employment and income details, and in some cases banking information. The sensitivity and breadth of these fields make the dataset highly valuable for identity theft, fraud, synthetic identity creation, and targeted social engineering campaigns.

For financial institutions, exposure of loan application data is particularly damaging because it contains documentation and attributes used to verify identity and creditworthiness. Threat actors can monetize the dataset through direct fraud, account takeover attempts, or by selling records on criminal marketplaces.

Likely attack methods and attacker goals

Attribution details remain incomplete in public reporting. Based on observed patterns in the cluster of incidents and common tactics against similar platforms, likely techniques include:

  • Exploitation of vulnerable internet-facing applications or APIs to achieve unauthorized access to backend systems or databases.
  • Abuse of cloud backup or API misconfigurations to retrieve stored configuration or backup files containing credentials or database backups.
  • Credential stuffing or credential reuse attacks against administrative portals, combined with weak MFA or missing rate limits.
  • Supply chain or third-party compromise enabling pivot into SuperGrosz infrastructure.

Primary attacker objectives are data theft for financial gain, monetization through fraud, and potentially disruptive leverage against financial infrastructure. Attackers may also attempt follow-on actions such as extortion or sale of the stolen records.

Immediate technical impact

Compromised assets likely include the customer database and possibly backup archives or configuration files. Where banking details and personal IDs are present, downstream institutions and customers face increased risk of fraud. For SuperGrosz, there is regulatory exposure under data protection regimes, mandatory breach notification obligations, and potential reputational harm that may affect loan originations and partnerships.

Detection and hunting guidance for SOC teams

Focus on application, API, and backup telemetry. Key sources of truth are web server logs, API access logs, database audit trails, cloud storage access logs, and backup service logs. Example prioritized detection actions are:

  1. Search web and API logs for abnormal queries, elevated request rates, or unusual endpoints accessed by single IPs or small IP clusters, particularly those requesting bulk export, backup endpoints, or administrative URIs.
  2. Audit cloud storage and backup access logs for unexpected reads, snapshots created or downloaded outside maintenance windows, and API calls from unrecognized service principals or IPs.
  3. Look for large-volume SELECTs or table dumps originating from service accounts, application containers, or SQL endpoints outside normal ETL windows.
  4. Monitor for creation or use of new database accounts, changes to database roles, or elevation of privileges for existing accounts.
  5. Correlate outbound network connections from application servers to uncommon external destinations, which may indicate staging or exfiltration channels.

Sample hunting queries (adapt to your platform and schemas):


// Web/API logs - high request volume to export or admin endpoints
index=web_logs source=supergrosz_api
| where uri_path like "%export%" OR uri_path like "%backup%" OR uri_path like "%admin%"
| stats count by src_ip, uri_path, http_method, user_agent
| where count > 100
    

// Cloud storage access - unexpected downloads of backup files
cloudtrail
| where eventName in ("GetObject","DownloadArchive") and resourceName like "%backup%" 
| where userIdentity.type != "AssumedRole" or userIdentity.arn notin (/* trusted service ARNs */)
| project eventTime, userIdentity, sourceIPAddress, resourceName

Response playbook and remediation steps

  1. Contain: Temporarily restrict public access to affected APIs and administrative interfaces. Apply network-level blocks for IPs associated with suspicious activity.
  2. Preserve evidence: Collect web server logs, database audit logs, cloud storage access logs, and any backup tool logs. Capture volatile memory from suspected hosts if live forensic analysis is required.
  3. Remove attacker access: Rotate credentials for service accounts, database users, and API keys. Revoke unused keys and invalidate sessions. Implement or enforce MFA for administrative access.
  4. Patch and harden: Apply application and infrastructure patches, close unnecessary management ports, and tighten API rate limiting and input validation.
  5. Notify: Follow legal and regulatory obligations for breach notification. Inform affected customers with clear guidance on protective steps such as freezing accounts and monitoring statements.
  6. Eradicate and recover: Remove malicious artifacts, rebuild compromised hosts from trusted images, and restore clean backups where required. Verify integrity before bringing services fully back online.

Longer term mitigation and lessons learned

SuperGrosz highlights systemic risks in online lending platforms where sensitive personal and financial data are concentrated. Recommended long-term controls include:

  • Use of database activity monitoring and strict least privilege for application-service accounts.
  • Encryption of sensitive fields at rest and separation of PII from payment credentials.
  • Hardened backup processes with access controls, immutable storage tiers, and multi-party approval for exports.
  • Robust API security practices: strong authentication, strict input validation, rate limiting, and measurable anomaly detection.
  • Continuous third-party risk assessments for cloud and vendor services with access to sensitive data.

Customer and regulatory considerations

Financial services firms must assume customers may be targeted for identity theft and fraud. Recommend immediate steps for affected customers such as monitoring bank statements, placing fraud alerts, and freezing identifiers where available. From a regulatory perspective, coordinate with data protection authorities and CSIRTs to satisfy notification, mitigation, and remediation requirements.

Bottom line

The SuperGrosz incident demonstrates the severe downstream impact of exfiltrated financial and identity data. Organizations running consumer finance platforms must treat API security, backup integrity, and logging as first-class defenses. Rapid containment, exhaustive telemetry collection, and clear customer notification are the priorities for responders. Security teams should use this incident to validate detection coverage, harden backup and export controls, and accelerate zero trust and least-privilege measures across digital lending services.

Ash K
Ash K
Ashton is a seasoned Cybersecurity Professional with over 25 years of experience in Cybersecurity Research, Cybersecurity Incident response, Products and Security Solutions architecture.