Millions of Records Exposed in Veeam Misconfigured Server

Hundreds of millions of records were exposed after a MongoDB server belonging to disaster-recovery firm Veeam was left misconfigured, researchers found.

The open server contained a 200-gigabyte database with more than 440 million records. Researcher Bob Diachenko, who discovered the misconfiguration, said he was able to access the open server sans password on Sept. 5 – and that it was left publicly searchable and wide open until Sept. 9.

That database contained “marketing data, more than 440 million records mostly consisting of names, email addresses and IP addresses… Some may be duplicates,” Diachenko told Threatpost on Tuesday. That includes data like customer’s first and last name, email, email recipient, country and customer organization size.

The data seemed to be used by Veeam’s marketing automation team to reach their customers using their Marketo solution – a tool focused on account-based marketing through email, social or mobile, said Diachenko in a post about the incident. The data is part of Veeam’s marketing server infrastructure.

The data’s dates of creation and updates span a four-year period, from 2013 to 2017.

“Based on the collection names and analysis of data in the database, my first guess was that database originated from Marketo server, so I also sent security notifications to their email addresses,” said Diachenko. “However, upon further analysis I came to conclusion that data was part of Veeam marketing server infrastructure, rather than Marketo.”

Diachenko said that shortly after a security notification was sent by him – and by TechCrunch – to Veeam about the exposed server, the database was secured. However, he said he hasn’t heard of any official word back from the company.

A Veeam spokesperson told Threatpost via email: “It has been brought to our attention that one of our marketing databases, leaving a number of non-sensitive records (i.e. prospect email addresses), was possibly visible to third parties for a short period of time. We have now ensured that ALL Veeam databases are secure. Veeam takes data privacy and security very seriously, and a full investigation is currently underway.”

It’s certainly not the only MongoDB, Hadoop or CouchDB installation that’s ever been exposed – in July, researchers discovered another misconfigured repository bucket leaking the information of U.S. voters. The information was exposed on a public Amazon S3 bucket by a Virginia-based political campaign and robocalling company called Robocent.

In April, a leaky Mongo database made public the personal information of 25,000 investors tied to the Bezop cryptocurrency. And in March, a Walmart jewelry partner’s’ misconfigured AWS S3 bucket left personal details and contact information of 1.3 million customers in plain sight.

These exposed servers risk putting customers’ private data or credentials in the hands of attackers to use – at the very least – for phishing attacks, or worse.

“Even taking into account the non-sensitivity of data, the public availability of such large, structured and targeted dataset online could become a real treasure chest for spammers and phishers,” said Diachenko. “It is also a big luck that database was not hit by a new wave of ransomware attacks which have been specifically targeting MongoDBs (with much more extortion amount demand than it was last year).”