A large 4TB SQL Server backup file belonging to world accounting big Ernst & Younger (EY) was found publicly accessible on Microsoft Azure.
The publicity, uncovered by cybersecurity agency Neo Safety throughout a routine asset mapping train, highlights how even well-resourced organizations can inadvertently go away delicate knowledge susceptible to the web’s automated scanners.
Neo Safety’s lead researcher found the file whereas analyzing passive community site visitors with low-level instruments.
A easy HEAD request meant to fetch metadata with out downloading content material revealed the staggering dimension: 4 terabytes of knowledge, equal to tens of millions of paperwork or a complete library’s value of knowledge.
The file’s naming conference screamed SQL Server backup (.BAK format), which generally accommodates full database dumps, together with schemas, person knowledge, and, crucially, embedded secrets and techniques reminiscent of API keys, credentials, and authentication tokens.
Discovery and Verification Course of
Preliminary searches on the Azure Blob Storage yielded no speedy possession clues, however deeper probes uncovered merger paperwork in a European language, translated with instruments like DeepL, pointing to a 2020 acquisition.
A pivotal DNS SOA file lookup tied the area to ey.com, confirming EY’s involvement. To keep away from any authorized pitfalls, the workforce downloaded solely the file’s first 1,000 bytes, revealing an unmistakable “magic bytes” signature for an unencrypted SQL Server backup, Neo Safety learns.
This was not a theoretical threat. Neo Safety relied on real-world incident response expertise, recalling a fintech breach that resulted from the temporary publicity of the same .BAK file for simply 5 minutes.
In that case, attackers exploited the temporary window to exfiltrate personally identifiable info and credentials, resulting in ransomware and the corporate’s collapse.
With at present’s botnets scanning your entire IPv4 tackle area in minutes, such exposures invite inevitable compromise. Neo Safety halted additional probing and pursued accountable disclosure over a weekend, finally connecting with EY’s CSIRT by way of LinkedIn outreach after 15 makes an attempt.
EY responded swiftly and professionally, triaging and remediating the difficulty inside every week, with no defensiveness, simply efficient motion.
The agency deserves credit score for its mature dealing with, a rarity in an trade usually marred by denial or delays. But the incident underscores systemic cloud vulnerabilities. Azure’s comfort in exporting databases can result in ACL (Entry Management Checklist) errors, flipping personal storage public with one misclick.
For EY a Massive 4 agency auditing billion-dollar offers and holding market-moving monetary knowledge this lapse raises questions on oversight in fast-paced infrastructures.
Consultants warn that automated adversarial scanning means exposures aren’t “if” however “what number of” actors discover.
As cloud complexity grows, steady mapping and visibility instruments grow to be important to outpace threats, making certain organizations uncover their very own leaks first.
Comply with us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to characteristic your tales.
