How I dumped 5,891 companies with banking details from a French logistics platform
Gustave Auto is a vehicle transport and delivery service based in France. Drivers sign up as independent contractors (mostly "EI" or auto-entrepreneur status), provide their banking details for payment, and the platform dispatches jobs to them. Basically a gig platform for car transport.
Their Supabase database had no Row Level Security. Every contractor record, including IBANs, BIC codes, home addresses, and phone numbers, was readable with the public anon key.
What happened
Same story as always with Supabase misconfigurations. The anon key was in the frontend JavaScript. I pointed it at the REST API:
GET /rest/v1/companies?select=*&limit=1000&offset=0
Full read access. 5,891 contractor/company records came back across 6 batches.
Why this one is bad
Most Supabase leaks I've seen expose emails and usernames. This one exposes financial data. Here's what each record contains:
| Field | What it is |
|---|---|
| name | Full legal name |
| contact_email | Personal email |
| phone | Personal phone number |
| company_type | EI, SAS, self-employed, gustave_intern |
| siret | French business registration number |
| banking_details | IBAN and BIC code |
| invoice_details | Full home address with GPS coordinates |
| stripe_id | Stripe customer ID (e.g. cus_R7A6Gypb4EIPjq) |
| referral_code | Unique referral code |
To be concrete about what "banking details" means here: Rachid Hachemi's record contains his IBAN FR 5520041010125615725P03388 and BIC PSSTFRPPSCE. His home address is 32 Avenue Jean Moulin, 92390 Villeneuve-la-Garenne, with coordinates 48.938, 2.331. His phone, email, and Stripe customer ID are all there too.
That's one record. There are 5,890 more like it.
The geography
Almost all contractors are in France. Heavy concentration around Paris and Ile-de-France, with clusters in Lyon, Grenoble, Bordeaux, Toulouse. A smaller set operates out of London. A few are scattered across other countries, including one in Sri Lanka and one in Ireland.
The address data includes full street addresses, postal codes, city names, and latitude/longitude pairs accurate enough to pinpoint a building. The zone_name and subzone_number fields map to Gustave's internal delivery zones, telling you exactly which area each driver covers.
What someone could do with this
This isn't theoretical. With an IBAN, someone can set up fraudulent direct debits in SEPA countries. It takes a signed mandate, but forged mandates are a known fraud vector and the IBAN alone gets you halfway there. Combined with the person's full name, address, and phone number from the same record, social engineering the rest is straightforward.
The Stripe customer IDs are also a problem. If Gustave's Stripe dashboard or API keys are similarly misconfigured (I didn't check), those IDs could be used to look up payment history.
And then there's the physical safety angle. 5,891 home addresses, down to GPS coordinates, for people who drive around carrying other people's cars. Not great.
The technical issue
Same as the others: Supabase with RLS either disabled or not configured with any policies. The anon key, which is designed to be in the frontend and is supposed to be locked down by row-level policies, had full SELECT on the companies table.
ALTER TABLE companies ENABLE ROW LEVEL SECURITY;
CREATE POLICY "Users read own company"
ON companies FOR SELECT
USING (auth.uid() = user_id);
Twenty lines of SQL would have prevented this.
GDPR note
Gustave Auto operates in France and the UK. This data falls squarely under GDPR. Full names, home addresses, bank account numbers, and phone numbers for nearly 6,000 individuals, stored without access controls and readable by anyone with a browser's dev tools. Under GDPR Article 32, controllers must implement "appropriate technical measures" to ensure data security. An open Supabase table with banking details in it doesn't qualify.