Millions of Records Exposed in Veeam Misconfigured Server

Exposed data included names, emails addresses and IP addresses.


Hundreds of millions of records were exposed after a MongoDB server belonging to disaster-recovery firm Veeam was left misconfigured, researchers found.

The open server contained a 200-gigabyte database with millions of records. Researcher Bob Diachenko, who discovered the misconfiguration, said he was able to access the open server sans password on Sept. 5 – and that it was left publicly searchable and wide open until Sept. 9.

That database contained “marketing data, more than 440 million records mostly consisting of names, email addresses and IP addresses… Some may be duplicates,” Diachenko told Threatpost on Tuesday. That includes data like customer’s first and last name, email, email recipient, country and customer organization size.

More recently, on Thursday, Veeam co-CEO and President Peter McKay stressed in a post that the incident has been resolved and due to duplicate records, the figure of exposed unique emails was actually closer to 4.5 million, as opposed to the 440 million previously reported by researchers.

“During some maintenance of our network, this single marketing database containing marketing records (that may include names, e-mail addresses and IP addresses) was left visible and exposed due to human error,” he said in the post. “While the database was not easily accessible, it was visible to unauthorized third parties. Once we validated the issue, we took immediate action to properly secure the database.”

The data seemed to be used by Veeam’s marketing automation team to reach their customers using their Marketo solution – a tool focused on account-based marketing through email, social or mobile, said Diachenko in a post about the incident. The data is part of Veeam’s marketing server infrastructure.

The data’s dates of creation and updates span a four-year period, from 2013 to 2017.

“Based on the collection names and analysis of data in the database, my first guess was that database originated from Marketo server, so I also sent security notifications to their email addresses,” said Diachenko. “However, upon further analysis I came to conclusion that data was part of Veeam marketing server infrastructure, rather than Marketo.”

Diachenko said that shortly after a security notification was sent by him – and by TechCrunch – to Veeam about the exposed server, the database was secured. However, he said he hasn’t heard of any official word back from the company.

A Veeam spokesperson told Threatpost via email: “It has been brought to our attention that one of our marketing databases, leaving a number of non-sensitive records (i.e. prospect email addresses), was possibly visible to third parties for a short period of time. We have now ensured that ALL Veeam databases are secure. Veeam takes data privacy and security very seriously, and a full investigation is currently underway.”

It’s certainly not the only MongoDB, Hadoop or CouchDB installation that’s ever been exposed – in July, researchers discovered another misconfigured repository bucket leaking the information of U.S. voters. The information was exposed on a public Amazon S3 bucket by a Virginia-based political campaign and robocalling company called Robocent.

In April, a leaky Mongo database made public the personal information of 25,000 investors tied to the Bezop cryptocurrency. And in March, a Walmart jewelry partner’s’ misconfigured AWS S3 bucket left personal details and contact information of 1.3 million customers in plain sight.

“Until companies learn to employ security measures across the board, this kind of exposure is going to keep happening,” Francis Dinha, CEO and co-founder of OpenVPN, told Threatpost. “We call it a ‘leak,’ but even that word shows how little we understand the risk of poor cyber security. In this case, ‘leak’ meant the exposure of millions upon millions of customer emails. In order to really prevent these kinds of security breaches, each individual employee needs to be educated on the importance of cyber security and the specific strategies you expect them to implement.”

These exposed servers risk putting customers’ private data or credentials in the hands of attackers to use – at the very least – for phishing attacks, or worse.

“Even taking into account the non-sensitivity of data, the public availability of such large, structured and targeted dataset online could become a real treasure chest for spammers and phishers,” said Diachenko. “It is also a big luck that database was not hit by a new wave of ransomware attacks which have been specifically targeting MongoDBs (with much more extortion amount demand than it was last year).”

This article was updated on Thursday, Sept. 13 to reflect a new statement posted by Veeam’s co-CEO and president on the investigation into the matter and the number of unique emails involved.

Suggested articles

Top 10 Breaches and Leaky Server Screw Ups of 2019

2019 was a banner year for data exposures, with billions of people affected by cloud misconfigurations, hacks and poor security practices in general. Here’s the Threatpost Top 10 for data-breach news of the year, featuring all the low-lights.

IoT security disasters

Top 10 IoT Disasters of 2019

From more widescale, powerful distributed denial of service (DDoS) attacks, to privacy issues in children’s connected toys, here are the top IoT disasters in 2019.