EY SQL Database Backup Exposed via Cloud Misconfiguration
A 4TB+ SQL Server backup file belonging to Ernst & Young (EY) was discovered exposed to the public internet due to a cloud storage misconfiguration. The backup, which was unencrypted, contained highly sensitive information including API keys, session tokens, cached authentication tokens, service account passwords, and user credentials. The exposure was identified by Neo Security, whose lead researcher found and partially downloaded the file, confirming the presence of critical secrets. The incident highlights the risks associated with cloud storage misconfigurations, where even brief exposures can be detected and exploited by automated scans.
Upon being notified by Neo Security, EY responded promptly and professionally, acknowledging the issue and engaging in clear, technical communication with the researchers. The firm’s incident response was described as "textbook perfect," with the vulnerability triaged and fully remediated within a week. The case underscores the importance of mature security practices and rapid response in mitigating the impact of accidental data exposures, especially when large volumes of sensitive corporate data are at risk.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Public reporting reveals EY cloud exposure and disclosure challenges
Multiple security news outlets reported that EY had publicly exposed a 4TB SQL Server backup on Microsoft Azure, highlighting both the sensitivity of the exposed data and the lack of an accessible security contact for responsible disclosure. The coverage noted EY was likely investigating how long the data had been exposed and the extent of any access.
EY remediates the exposed cloud backup within about a week
After being notified, EY triaged and remediated the exposure within roughly a week, according to the researcher. The disclosure process was slowed by the absence of a clear public vulnerability reporting channel, requiring outreach through LinkedIn.
Neo Security discovers EY's exposed 4TB SQL Server backup
Neo Security found a publicly accessible 4TB SQL Server backup file in cloud storage traced to Ernst & Young. The backup reportedly contained sensitive data including API keys, user credentials, and service account passwords.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
EY Exposes 4TB SQL Server Backup Publicly on Microsoft Azure
securityaffairs.com
Open sourceExtensive EY SQL Server backup file inadvertently exposed
scworld.com
Open sourceEY exposes 4TB+ SQL database to open internet for who knows how long
go.theregister.com
Open sourceThe 4TB time bomb: when EY’s cloud went public (and what it taught us)
databreaches.net
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Massive Data Exposure via Misconfigured Elasticsearch Server Containing 6 Billion Records
A misconfigured Elasticsearch server, believed to be operated from Russia or a Russian-speaking country, was discovered leaking over 6.19 billion records to the public internet without any authentication or password protection. The exposed server contained a massive trove of 1.12 terabytes of data, including records collected from both disclosed and undisclosed data breaches, as well as information obtained through website scraping. Among the most sensitive data found were records from Ukrainian bank Accordbank, which included users’ full names, birthdates, birthplaces, addresses, phone numbers, national ID numbers, passport numbers, and tax codes. Independent cybersecurity researcher Anurag Sen was the first to identify the exposed server and report its existence to the media. The server’s index information confirmed the scale of the exposure, with over 6.19 billion records available for anyone to access. Screenshots from the server revealed that the data was stored in JSON format and included detailed personally identifiable information (PII) from various sources. The database also contained files referencing Accordbank, which were later observed being peddled by the user "tRex_Prime" on DarkForums, indicating that the data may have already been accessed and distributed by other threat actors. The leak included not only banking and contact information but also records from other breaches and data scraped from websites, making the exposure particularly broad and damaging. The server was eventually taken offline, but it remains unclear how long the data was accessible or how many unauthorized parties may have downloaded the information. Previous incidents involving hacking groups such as ShinyHunters and Nemesis were also mentioned, as they had leaked stolen data and hacking tools from other exposed cloud storage resources in the past. The incident highlights the ongoing risks associated with misconfigured cloud infrastructure and the potential for large-scale data aggregation to amplify the impact of breaches. Security experts warn that such exposed databases are prime targets for cybercriminals seeking to exploit PII for identity theft, fraud, and further attacks. The presence of both old and new breach data, as well as scraped information, demonstrates the evolving tactics of threat actors in collecting and monetizing sensitive information. Organizations are urged to regularly audit their cloud configurations and monitor for unauthorized data exposures to prevent similar incidents. The scale and sensitivity of the leaked data underscore the urgent need for improved security practices in managing large datasets, especially those containing PII from multiple sources. The incident serves as a stark reminder of the consequences of failing to secure cloud-based data storage and the far-reaching impact such exposures can have on individuals and organizations worldwide.
Mar 21, 2026
Netcore Cloud Data Exposure of 40 Billion Unencrypted Mail Logs
A massive data exposure incident occurred involving Netcore Cloud, an Indian-based global email marketing and automation company, when a misconfigured server left over 40 billion records and 13.4 terabytes of data publicly accessible. The exposed database contained unencrypted mail logs, which included sensitive information such as email addresses, message subjects, internal delivery details, and technical data like IP addresses and SMTP configurations. Among the leaked records were healthcare notifications, banking activity alerts, and employment-related emails, some of which were marked as confidential. The data was accessible to anyone who knew the server’s IP address, posing a significant risk of unauthorized access and potential misuse. The breach affected Netcore Cloud’s global client base, which spans more than 6,500 brands across 40 countries and includes organizations in sectors such as ecommerce, finance, media, and travel. The exposure was discovered by cybersecurity researcher Jeremiah Fowler, who reported the issue after finding the database unprotected and unencrypted. Upon notification, Netcore Cloud responded promptly by securing the database and restricting public access on the same day. The company also requested additional information from the researcher to support its internal investigation. The incident highlights the risks associated with misconfigured cloud infrastructure, especially for companies handling large volumes of sensitive communication data. The scale of the exposure, both in terms of record count and data volume, makes it one of the more significant data leaks in recent times. The presence of confidential and technical information in the logs could facilitate further attacks, such as phishing or account compromise, if accessed by malicious actors. The incident underscores the importance of robust security controls, regular audits, and prompt response protocols for organizations managing critical customer data. Netcore Cloud’s swift action in securing the database likely mitigated further risk, but the exposure period remains unclear. The breach has raised concerns about data privacy and the security practices of third-party service providers in the email marketing industry. Organizations using Netcore Cloud’s services may need to assess their own exposure and consider additional safeguards. The event serves as a cautionary tale for all companies relying on cloud-based infrastructure to ensure proper configuration and continuous monitoring to prevent similar incidents.
Mar 21, 2026
Invoicely Database Exposure of Sensitive Client and Business Records
Cybersecurity researcher Jeremiah Fowler discovered a publicly accessible database containing 178,519 files linked to the cloud-based invoicing platform Invoicely. The exposed database included a wide array of sensitive documents, such as invoices, scanned checks, tax forms, banking information in both PDF and CSV formats, and other financial records. Personally identifiable information (PII) was also present, including names, tax identification numbers, phone numbers, and physical addresses of clients, partners, and employees from around the world. Additional sensitive documents found in the database included medical payment receipts and airline tickets, further increasing the risk of identity theft and privacy violations. The database was not protected by a password or encryption, making it easily accessible to anyone who discovered its location online. The exposure of such data presents significant risks for financial fraud, particularly invoice fraud, as cybercriminals could use the information to create convincing fake invoices or target individuals and businesses for spear-phishing attacks. The presence of detailed financial and personal data could also facilitate broader identity theft schemes. Invoicely, operated by Vienna-based Stack Holdings GmbH, is a widely used platform, reportedly serving over 250,000 businesses globally, amplifying the potential impact of the breach. It remains unclear whether the exposed database was directly managed by Invoicely or by a third-party contractor, and there is no public information on how long the data was accessible or whether it was accessed by malicious actors. After Fowler reported the issue, the database was promptly taken offline to prevent further exposure. The incident highlights the critical importance of encrypting sensitive data and implementing robust access controls, as even a single misconfiguration can lead to massive data leaks. Fowler emphasized that proper encryption would have made the data extremely difficult to access without the correct credentials, even if the database was exposed. The event serves as a stark reminder for SaaS providers and their clients to regularly audit their data storage practices and ensure compliance with data protection standards. The lack of immediate clarity regarding the management and duration of the exposure raises concerns about potential regulatory and reputational consequences for Invoicely. Organizations using cloud-based financial platforms are urged to review their own security postures in light of this incident.
Mar 21, 2026