How I Found an Excel Sheet with 200+ Bank Testing Account Login Details!

🚨 Important: I didn’t hack anything. I just used Google the right way.

What is Google Dork?

It is a search string that uses advanced search queries to find information that is not easily available on the websites. It is also regarded as illegal Google hacking activity which hackers often use for purposes such as cyber terrorism and cyber theft.

The Accidental Discovery

It started with a simple Google Dorking session.

While hunting for exposed credentials, I stumbled upon an Excel file indexed by Google. A glance at the file name sent me chills “dev_Bank_accounts_2024.xlsx”

Opening Laptop and Going to Browser (Felt Very Tired)

Digging Deeper with Google Dorks

I used a refined query to hunt for publicly available spreadsheets:

filetype:xls OR filetype:xlsx "username" "password"

NOTE: Pass your Domain to check for Username and Passwords Exposed!

One of the results led me to a misconfigured banking subdomain, hosting internal test accounts meant for system validation.

What Was Inside?

After downloading the file, I found:
✅ 200+ bank testing accounts
✅ Usernames & passwords in plaintext
✅ First name & Last name Age and Marital Status

Shockingly, some accounts had live credentials, meaning a potential attacker could misuse them for fraudulent transactions.

How Did This Happen?

The leak was due to:

1. Misconfigured permissions on a public-facing server

2. Lack of access control to internal documents

3. Poor security practices (storing credentials in plain text)

Responsible Disclosure

Instead of exploiting the data, I immediately reported the issue to the bank’s security team. They acted swiftly, removing the exposed file and patching the misconfiguration.

Lessons for Security Teams

🔹 Never store credentials in public directories
🔹 Use robots.txt to prevent sensitive files from being indexed
🔹 Regularly audit and test for exposed data

Final Thoughts

This incident highlights how one Google search can expose critical banking information. If a security researcher can find it, so can an attacker. Always think like a hacker before the real ones do.

Always use Google Dorking ethically! If you find exposed data, report it responsibly.

That’s it for now.

Cheers and peace out!

POC Image (NOTE DON’T REPORT THIS POC IMAGE AGAIN, MIGHT GO IN DUPLICATE)

POC Image Only for Reference

Want to Know About me more: Read Here

Want to hack More Follow Below:

_.mr._domy >> Eat Well → Hack Well → Snack Well