[BreachExchange] Veeam server lapse leaks over 440 million email addresses

[Inga Goddijn]

https://techcrunch.com/2018/09/11/veeam-security-lapse-leaked-over-440-million-email-addresses/

You know what isn’t a good look for a data management software company? A
massive mismanagement of your own customer data.

Veeam, a backup and data recovery company, bills itself as a data giant
that among other things can “anticipate need and meet demand, and move
securely across multi-cloud infrastructures,” but is believed to have
mislaid its own database of customer records.

Security researcher Bob Diachenko <https://twitter.com/MayhemDayOne> found
an exposed database containing more than 200 gigabytes of customer records,
mostly names, email addresses, and in some cases IP addresses. That might
not seem like much but that data would be a goldmine for spammers or bad
actors conducting phishing attacks.

Diachenko, who blogged about his latest find
<https://www.linkedin.com/pulse/veeam-inadvertently-exposed-marketing-info-hundreds-its-bob-diachenko/>,
the database didn’t have a password and could be accessed by anyone knowing
where to look.

The database of more than 200 gigabytes — including two collections that
had 199.1 million and 244.4 million email addresses and records
respectively over a four-year period between 2013 and 2017. Without
downloading the entire data set, it’s not know how many records are
duplicates.

After TechCrunch informed the company of the exposure, the server was
pulled offline within three hours.

When initially reached for comment, Veeam spokesperson Heidi Kroft said:
“We will continue to conduct a deeper investigation and we will take
appropriate actions based on our findings.”

Veeam says on its website that it has 307,000 customers covering most of
the Fortune 500.

It’s not the first time a massive database of email addresses has leaked
online. An exposed database run by River City Media leaked over 393 million
email addresses in 2017
<https://techcrunch.com/2017/03/06/spammers-expose-billions-of-emails-after-failed-backup/>,
which prompted a frivolous lawsuit
<https://www.zdnet.com/article/chilling-effect-lawsuits-threaten-security-research-need-it-most/>
against the security researcher who found it. And, later in the year, a
massive spambot of 711 million email addresses, believed to be largest ever
<https://www.zdnet.com/article/onliner-spambot-largest-ever-malware-campaign-millions/>,
was uncovered last year by a Paris-based researcher.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180914/594cf1c3/attachment.html>