BACKUP AND DATA RECOVERY OUTFIT Veeam left 445 million customers records on an open server on Amazon Web Services.
The database was uncovered by security researcher Bob Diachenki. He says that he uncovered the trove of personal information on 5 September, but that it was taken down or offline four days later - presumably, he says, after he contacted the company.
According to Diachenko the MongoDB database was indexed by Shodan, the search engine that indexes internet-connected devices, on 31 August.
The 200GB database "included vast masses of data that is apparently used by Veeam marketing automation team to reach out to their customers using Marketo", wrote Diachenko in a blog posting writing up the find. Marketo is a widely used marketing automation solution.
The huge volume of data - and its publication online - may give rise to an investigation under the General Data Protection Regulation (GDPR).
In addition to alerting Veeam, Diachenko also shared the information with TechCrunch journalist Zack Whittaker.
"The database of more than 200 gigabytes [includes] two collections that had 199.1 million and 244.4 million email addresses and records respectively over a four-year period between 2013 and 2017. Without downloading the entire data set, it's not known how many records are duplicates," wrote Whittaker.
A Veeam spokesperson claimed that the company would conduct an investigation and "take appropriate action" accordingly. They added that the company has ensured that all Veeam databases are now secured appropriately.
However, BleepingComputing pointed out that misconfigured MongoDB databases - the software was originally distributed without security features turned on by default - ought to be a thing of the past given the number of data spillages involving misconfigured MongoDB databases.
But they didn't get off scot-free
Borkage also downs banks telephone banking service
Not the microwave, calm down
Oh come on, not this again