IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Unsecured MongoDB database exposed 200GB of Veeam customer data

Millions of records were exposed on an AWS-based server

computer code on a screen

Data recovery and backup firm Veeam left an unsecured MongoDB database server with 445 million customer records hosted on AWS that could have been accessed by anyone, it has been revealed. 

Security researcher Bob Diachenko discovered the unsecured database server on 5 September and noted it was left unsecured until the 9 September, after which it was secured by Veeam with little comment in response to Diachenko's security alerts to the company.

As such, a 200GB database, which Veeam used for marketing processes, was left open and searchable for anyone who came across it. The data contained customer personal information, including email addresses and first and last names.

Diachenko noted the database was indexed by the Shodan search engine which showed it was open on the 31 August. This suggests the database was exposed for a good nine days.

Veeam has some 307,000 customers, including big names like Gatwick Airport, Scania, and a handful of healthcare and university users.

While no data relating to Veeam's customers was stolen, hackers are increasingly savvy to searching for unsecured databases and servers which present tantalising data troves to exploit, especially given there are scripts that enable the automated searching of unsecured servers.

"It has been brought to our attention that one of our marketing databases, leaving a number of non-sensitive records (i.e. prospect email addresses), was possibly visible to third parties for a short period of time," Veeam told BeepingComputer.

"We have now ensured that ALL Veeam databases are secure. Veeam takes data privacy and security very seriously, and a full investigation is currently underway."

Veeam later highlighted that a lot of the exposed records were duplicates and, upon review, 4.5 million unique email addressed were exposed. It also reiterated that no sensitive data was exposed. 

While modern MongoDB databases are configured to prevent networked connections unless specifically configured to have them, in this case it would appear Veeam used an older version of the database which does not have security features enabled by default given it was not originally designed to be used on cloud servers.

Such a situation highlights the need to be particularly diligent when configuring data-leaden servers, especially in organisations that are undergoing digital transformation doctrines or service enterprises that are transitioning to the cloud.

Featured Resources

Join the 90% of enterprises accelerating to the cloud

Business transformation through digital modernisation

Free Download

Delivering on demand: Momentum builds toward flexible IT

A modern digital workplace strategy

Free download

Modernise the workforce experience

Actionable insights and an optimised experience for both IT and end users

Free Download

The digital workplace roadmap

A leader's guide to strategy and success

Free Download

Recommended

Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021
Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021

Most Popular

Raspberry Pi launches next-gen Pico W microcontroller with networking support
Hardware

Raspberry Pi launches next-gen Pico W microcontroller with networking support

1 Jul 2022
Xerox CEO John Visentin dies unexpectedly aged 59
Careers & training

Xerox CEO John Visentin dies unexpectedly aged 59

30 Jun 2022
Former Uber security chief to face fraud charges over hack coverup
data breaches

Former Uber security chief to face fraud charges over hack coverup

29 Jun 2022