Santander, the fifth largest bank in Europe and the 16th largest in the world, has been leaking sensitive company data due to a misconfiguration on one of its websites.

Security analysts at CyberNews discovered that Santander’s Belgian branch, Santander Consumer Bank, had a misconfiguration in its blog domain that allowed for its files to be indexed.

The indexed files include an SQL dump and a JSON file that could be used by hackers to launch phishing attacks. The JSON file contained Santander’s Cloudfront API keys. By getting these keys, hackers are able to swap out Santander’s real content — images, videos, documents and other static files — for their own.

In practice this means that if, for example, a static HTML file was hosted, then the hacker would be able to switch that out with an entire web page of their own, allowing them to create a phishing page to steal the user’s financial information, all while on Santander’s official Belgian domain.

“For Santander’s customers, as well as all other banking customers, we’d recommend that you always check the domain and subdomain that a suspicious bank email is sending you to,” says CyberNews’ senior researcher Bernard Meyer. “Make sure that the domain is the bank’s real domain, but also know that important financial information requests would never be hosted on the blog subdomain of a bank.”

Santander was informed of the misconfiguration on April 15 and they have now fixed it. A Santander Consumer spokesperson says, “The incident highlighted relates specifically to the Santander Consumer Bank Belgium blog only. The blog contains only public information and articles, and therefore no customer data or critical information from the blog  has been compromised. Our security team has already fixed the issue to ensure the blog is secure.”

You can read more about the leak on the CyberNews site.