Cloud data management company Veeam is the latest to fumble security for internet-connected databases, having left hundreds of millions of marketing records wide open to the internet.
Independent security researcher Bob Diachenko wrote that the misconfigured MongoDB instance hosted on Amazon Web Services was indexed by the Shodan.io vulnerability scanner on August 31 US time this year.
Diachenko found it on September 5, and discovered it contained over 445 million records collected over a four year period until 2017, totalling more than 200 gigabytes.
The information stored in the MongoDB instance was marketing leads, and not sensitive per se although the business email addresses it contained could have been exploited by spammers and phishers.
Diachenko said he tried to report the database to Veeam without success. The company did not act until US media contacted it about the information leak, Diachenko added.
Veeam confirmed the database leak to iTnews and said the information store has now been secured.
"It has been brought to our attention that one of our marketing databases [containing] a number of non-sensitive records (that is, prospect email addresses) was possibly visible to third parties for a short period of time," it said in a statement.
"We have now ensured that all Veeam databases are secure. Veeam takes data privacy and security very seriously, and a full investigation is currently underway."
Unsecured MongoDB instances connected to the internet are still widely found despite several high-profile information leaks, database deletions and ransomware attacks.
_page-0001.jpg&w=100&c=1&s=0)
Integrate Expo 2025
.png&w=120&c=1&s=0)
Security Exhibition & Conference 2025
Digital As Usual Cybersecurity Roadshow: Brisbane edition
iTnews Benchmark Security Awards 2025
.jpg&h=140&w=231&c=1&s=0)
.jpg&h=140&w=231&c=1&s=0)
