Data management firm Veeam accidentally exposes over 440 million email addresses online

  • The exposed data included about 445 million customer records.
  • Security researcher Bob Diachenko discovered the exposed data on an unsecured MongoDB server via Shodan.

Swiss-based data management company, Veeam has inadvertently exposed over 200GB of data online.

The exposed data included about 445 million customer records along with customers' personal information such as full names, email addresses and country of residence. Two collections contained 199.1 million email addresses and 244.4 million records aggregated between 2013 and 2017.

Security researcher Bob Diachenko discovered the trove of information on an unsecured MongoDB server via Shodan on September 5. However, on September 9, the data was no longer available online. The company fixed the vulnerable database by updating its software.

Diachenko said other marketing details such as type of customer and organization size, IP addresses, referred URLs, user agent and more were also exposed. It is not immediately clear as to how long was the data available online.

According to the Diachenko, the IP address of the server had been indexed by Shodan on August 31.

As per Veeam’s website, it serves about 307,00 customers including most of the Fortune 500. Among its customers are Gatwick Airport, Scania, Norwegian Cruise line and more.

In a response to BleepingComputer, Veeam said the exposed information was part of their marketing databases. This data was open to third-party entities for a short time period.

“It has been brought to our attention that one of our marketing databases, leaving a number of non-sensitive records (i.e. prospect email addresses), was possibly visible to third parties for a short period of time,” Veeam said in a statement, BleepingComputer reported. “We have now ensured that ALL Veeam databases are secure. Veeam takes data privacy and security very seriously, and a full investigation is currently underway.”
Cyware Publisher