Data management firm Veeam mismanages own data, leaks millions of records

Updated: The server was reportedly available for anyone to access and lacked any form of protection against intrusion.
Written by Charlie Osborne, Contributing Writer

A company which has built its reputation on global data management services appears to have left a treasure trove of data open to the prying eyes of the public.

Baar, Switzerland-based Veeam calls itself the "global leader in intelligent data management" and offers "Hyper-Available" data management solutions able to merge traditional data backup and recovery tools with modern cloud environments.

However, in what appears to be the absolute opposite of such claims, the company is reported to have left a server with 200GBs' worth of data exposed online.

The unsecured MongoDB server was indexed on August 31 and remained open until September 9.

According to Bob Diachenko, an investigation led by the security researcher together with TechCrunch uncovered approximately 445 million records.

The server was used to store data based on the Marketo marketing solution. The leaked records included email addresses, names, countries, and some attribute values such as IP addresses, referral details, as well as user agents.

Records were timestamped between 2013 and 2017 and it is believed the database was not related to Marketo infrastructure, but rather, Veeam's architecture. It is possible some of the records may be duplicates.

The discovery was made possible through Shodan, a search engine which can be used to find Internet-connected devices and, in some cases, open systems.

The most shocking of Shodan

The server was pulled offline after three hours after TechCrunch informed Veeam of the mismanagement.

CNET: Macy's breach exposed customer data, credit card numbers

"Even taking into account the non-sensitivity of data, the public availability of such large, structured and targeted dataset online could become a real treasure chest for spammers and phishers," Diachenko said. "It is also a big luck that database was not hit by a new wave of ransomware attacks which have been specifically targeting MongoDBs."

TechRepublic: A data breach may be more expensive than you think, thanks to these hidden costs

The security researcher is referring to a campaign called Mongo Lock which is currently targeting open and unprotected MongoDB servers. The threat actors behind the attack aim to hijack these servers, wipe all of the data held within, and then demand a ransom from victims in return for their content.

A Veeam company spokesperson told ZDNet:

"It has been brought to our attention that one of our marketing databases, leaving a number of nonsensitive records (i.e. prospect email addresses), was possibly visible to third parties for a short period of time. We have now ensured that all Veeam databases are secure.

Veeam takes data privacy and security very seriously, and a full investigation is currently underway."

See also: LuckyMouse uses malicious NDISProxy Windows driver to target gov't entities

In August, Air Canada notified customers of a data breach which has potentially exposed passport information belonging to approximately 20,000 customers.

"Unusual login behavior" was detected between August 22 -- 24 in systems related to the Air Canada mobile app, according to the carrier, and while the attack was swiftly shut down, it is possible that information including names, email addresses, passport numbers, birthdates, and nationalities, among other data sets, has been compromised.

Update 14.07 BST, 13.9: On Thursday, Peter McKay, Veeam's co-chief executive, published a blog post confirming the incident.

"Unfortunately, this week, we had an incident where one of our marketing databases was mistakenly left visible to unauthorized third parties," the executive said. "During some maintenance of our network, this single marketing database containing marketing records (that may include names, e-mail addresses, and IP addresses) was left visible and exposed due to human error."

McKay added that on review, considering duplicates, 4.5 million unique e-mail addresses were exposed.

"We have taken additional steps to ensure every database meets our security protocols and we continue with our investigation into this incident," McKay added. "We have also taken the additional step to report the incident to certain regulatory authorities to establish an open and transparent line of communication to address any concerns they may have."

How to discover and destroy spyware on your smartphone (in pictures)

Previous and related coverage

Editorial standards