Unsecured MongoDB database exposed 200GB of Veeam customer data

computer code on a screen

Data recovery and backup firm Veeam left an unsecured MongoDB database server with 445 million customer records hosted on AWS that could have been accessed by anyone, it has been revealed.

Security researcher Bob Diachenko discovered the unsecured database server on 5 September and noted it was left unsecured until the 9 September, after which it was secured by Veeam with little comment in response to Diachenko's security alerts to the company.

As such, a 200GB database, which Veeam used for marketing processes, was left open and searchable for anyone who came across it. The data contained customer personal information, including email addresses and first and last names.

Diachenko noted the database was indexed by the Shodan search engine which showed it was open on the 31 August. This suggests the database was exposed for a good nine days.

Veeam has some 307,000 customers, including big names like Gatwick Airport, Scania, and a handful of healthcare and university users.

While no data relating to Veeam's customers was stolen, hackers are increasingly savvy to searching for unsecured databases and servers which present tantalising data troves to exploit, especially given there are scripts that enable the automated searching of unsecured servers.

"It has been brought to our attention that one of our marketing databases, leaving a number of non-sensitive records (i.e. prospect email addresses), was possibly visible to third parties for a short period of time," Veeam told BeepingComputer.

"We have now ensured that ALL Veeam databases are secure. Veeam takes data privacy and security very seriously, and a full investigation is currently underway."

Veeam later highlighted that a lot of the exposed records were duplicates and, upon review, 4.5 million unique email addressed were exposed. It also reiterated that no sensitive data was exposed.

While modern MongoDB databases are configured to prevent networked connections unless specifically configured to have them, in this case it would appear Veeam used an older version of the database which does not have security features enabled by default given it was not originally designed to be used on cloud servers.

Such a situation highlights the need to be particularly diligent when configuring data-leaden servers, especially in organisations that are undergoing digital transformation doctrines or service enterprises that are transitioning to the cloud.

Roland Moore-Colyer

Roland is a passionate newshound whose journalism training initially involved a broadcast specialism, but he’s since found his home in breaking news stories online and in print.

He held a freelance news editor position at ITPro for a number of years after his lengthy stint writing news, analysis, features, and columns for The Inquirer, V3, and Computing. He was also the news editor at Silicon UK before joining Tom’s Guide in April 2020 where he started as the UK Editor and now assumes the role of Managing Editor of News.

Roland’s career has seen him develop expertise in both consumer and business technology, and during his freelance days, he dabbled in the world of automotive and gaming journalism, too.