Thursday, October 30, 2025
Latest:

Threatshub.org sponsored-Post

The Register

EY exposes 4TB+ SQL database to open internet for who knows how long

TH Author

A Dutch cybersecurity outfit says its lead researcher recently stumbled upon a 4TB+ SQL Server backup file belonging to EY exposed to the web, effectively leaking the accounting and consulting megacorp’s secrets.

Among the BAK file’s data were API keys, cached authentication tokens, session tokens, service account passwords, and user credentials, Neo Security’s writeup explained.

“Finding a 4TB SQL backup exposed to the public internet is like finding the master blueprint and the physical keys to a vault, just sitting there,” it said. “With a note that says ‘free to a good home.’

“[The lead researcher had] investigated breaches that started with less. Way less. He once traced an entire ransomware incident back to a single web.config file that leaked a connection string. That was 8 kilobytes. This was four terabytes.”

The researcher, who was not named in the company’s report, downloaded the first thousand bytes of the file and found that the BAK file was also unencrypted.

It became exposed via a classic cloud bucket misconfiguration. Neo Security said the case was reminiscent of a similar breach it saw years ago when investigating a ransomware case.

In that case, one of its engineers was caught being lazy during a database migration. Not wanting to deal with extra hassle, they simply set a bucket to public for five minutes, downloaded the full SQL database backup to migrate, and made it private again.

But that was enough time for attackers’ automated scans to pick up on the exposure. They downloaded the file for themselves, along with trade secrets and credentials. Neo Security said the company went under after issuing the breach notification.

The security shop said: “Modern cloud platforms make it trivially easy to export and back up your database. A few clicks, select your database, choose a destination bucket, and you’re done. The export happens automatically in the background.

“But here’s where it gets dangerous: one wrong click, one typo in a bucket name, and suddenly your private data is sitting in a public bucket… It’s that easy to accidentally leak terabytes of sensitive data. 

“The tools are designed for convenience, not security. They assume you know what you’re doing. They don’t warn you that you just exported your entire customer database to a bucket that’s readable by anyone on the internet.”

It’s not clear for how long EY’s database was exposed, but usually in these scenarios it’s wise to assume the file was compromised at the point of realizing it was exposed.

By the time the researcher confirmed their findings, it was the weekend, and it took some frantic cold messaging on LinkedIn to be put through to the company’s incident responders. The security firm praised EY’s response as professional and effective, and a week later the incident was remediated.

The Register has asked EY for additional information. ®

READ MORE HERE