Finance Company Stores DB Credentials in Helpfully Labeled Spreadsheet
The Register, Thursday, April 30th, 2026
A fintech startup stored database root credentials and AWS keys in a password-protected Excel file on a shared intranet.
A fintech company that had invested over $1 million in military-grade security systems made a critical error by storing production database root credentials and master AWS IAM keys in a spreadsheet file on a company-wide SharePoint site accessible to all employees.
The spreadsheet was password-protected with a weak password following the pattern of company name plus year. The temporary measure originated from a disagreement between internal DevOps and external DBA teams over which password manager to use, resulting in credentials being stored unsecurely for eight months before an auditor discovered the vulnerability. This incident demonstrates how security compromises made to resolve internal conflicts can create severe risks, particularly in fintech firms handling millions or billions of dollars.