Veeam leaves 200 GB customer data open in misconfigured server

Veeam Swiss data management company inadvertently leaks over 440 million email addresses

Misconfigured Veeam server leads to data leakResearcher discovered an unprotected Veeam server which consisted of 200 GB sales data.

Recently, security researchers discovered a misconfigured MongoDB server which was used by Swiss data management company Veeam[1]. The firm specializes in developing backups, disaster recovery and intelligent data management software for physical, virtual and multi-cloud infrastructures. Yet, 200 GB of sales data has been left wide open.

Researcher Bob Diachenko discovered the misconfigured MongoDB server on September 5. Even though the expert tried to inform about the vulnerability, it was still left publicly searchable and wide open until September 9. The 200 GB of sales data contained over 440 million customer records[2].

I have come across it on September 5th and after quick data analysis I've been trying to responsibly disclose the information, without success. Server was left publicly searchable and wide open until September 9th, when it was quietly secured after several notification attempts made both by me and Zack Whittaker of TechCrunch.

200 GB of the database included personal information of Veeam customers

The researcher notes that the accessible 200 GB of data consisted of numerous personal information which was used by Veeam marketing team to contact their customers via Marketo Solution — the software company focusing on account-based marketing[3].

The collections consisted of approximately 445 million records obtained from 2013 to 2017 with the following information about customers[4]:

  • First and last name;
  • Email address;
  • Email recipient type (end-customer or partner);
  • Country;
  • Global region;
  • IP address;
  • Customer organization size;
  • Etc.

At first, Bob Diachenko thought that the misconfigured server belonged to Marketo. Although, further analysis revealed that Veeam inadvertently left the records open:

Based on the collection names and analysis of data in the database, my first guess was that database originated from Marketo server, so I also sent security notifications to their email addresses. However, upon further analysis I came to conclusion that data was part of Veeam marketing server infrastructure, rather than Marketo.

Cybercriminals might use open servers for money extortion

Even though the misconfigured server is already fixed, the data was vulnerable to attacks for almost four days. Taking into consideration the increased amount of ransomware and phishing attacks, this type of information could have been used for money extortion purposes[5].

Criminals search for open-access servers online to steal customer information. Usually, they collect the data and wipe out the server leaving merely a ransom note. Keep in mind that such attacks demand to pay enormous amounts of money for the stolen information. Thus, data management companies should be more careful.

About the author
Linas Kiguolis
Linas Kiguolis - Expert in social media

Linas Kiguolis is one of News Editors and also the Social Media Manager of 2spyware project. He is an Applied Computer Science professional whose expertise in cyber security is a valuable addition to the team.

Contact Linas Kiguolis
About the company Esolutions