8.4TB in email metadata exposed in university data leak

A database owned by Shanghai Jiao Tong University required no authentication to access.
Written by Charlie Osborne, Contributing Writer

An exposed database belonging to Shanghai Jiao Tong University exposed 8.4TB in email metadata after failing to implement basic authentication demands.

The exposed server was discovered on May 22, 2019, by Cloudflare Director of Trust & Safety Justin Paine.

As described on the Rainbowtabl.es security blog, Paine found the ElasticSearch database through a Shodan search. 

The open database contained 9.5 billion rows of data and was active at the time of discovery, given that its size increased from 7TB on May 23 to 8.4TB only a day later.

See also: Unsecured database exposes 85GB in security logs of major hotel chains

The database belongs to Shanghai Jiao Tong University, a large academic institution based in China. The university caters for over 41,000 students in undergraduate to Ph.d. capacities.

The information contained in the database was packaged up through Zimbra, a popular open-source email solution used by over 200,000 businesses worldwide.

It appears that the bulk email cache related to email being sent "by a specific person," according to the researcher, and also included the IP addresses and user agents of those checking their email.

TechRepublic: 5 reasons why you should use a password manager

Email threads between specific users could be seen, but it is worth noting that only the metadata was involved, and neither subject lines or email body content was exposed.


A day after the discovery, Shanghai Jiao Tong University was notified of the open server. To the institution's credit, the leak was plugged within 24 hours.  

"While searching Shodan, I recently discovered an ElasticSearch database without any authentication," Paine said. "This database contained metadata related to a huge amount of emails. I would like to thank the university's security team for their prompt action to secure this data once notified. As far as I am aware they have not notified the impacted students though."

CNET: Sign In with Apple will come to every iPhone app: How the new privacy login tool works

Shodan is becoming a common factor in researchers discovering open, unsecured databases and servers. Earlier this month, researchers from vpnMentor found an open database which exposed 85.4GB in security audit logs belonging to major hotel chains and independent resorts via a property management company.

Europol’s top hacking ring takedowns

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards