445 million customer records found on MongoDB database running on unsecured AWS server

200GB database belonging to Veeam indexed on Shodan on 31 August - but was taken down nine days later

A database with 445 million customers records has been found on an open server on Amazon Web Services.

The database, which contains contact information belonging to backup and data recovery specialist Veeam, was uncovered by security researcher Bob Diachenki. He says that he uncovered the trove of personal information on 5 September, but that it was taken down or offline four days later - presumably, he says, after he contacted the company.

According to Diachenko, a security researcher and journalist, the MongoDB database was indexed by Shodan, the search engine that indexes internet-connected devices, on 31 August.

The 200GB database "included vast masses of data that is apparently used by Veeam marketing automation team to reach out to their customers using Marketo", wrote Diachenko in a blog posting writing up the find. Marketo is a widely used marketing automation solution.

The huge volume of data - and its publication online - may give rise to an investigation under the General Data Protection Regulation (GDPR).

In addition to alerting Veeam, Diachenko also shared the information with TechCrunch journalist Zack Whittaker.

"The database of more than 200 gigabytes [includes] two collections that had 199.1 million and 244.4 million email addresses and records respectively over a four-year period between 2013 and 2017. Without downloading the entire data set, it's not known how many records are duplicates," wrote Whittaker.

A Veeam spokesperson claimed that the company would conduct an investigation and "take appropriate action" accordingly. They added that the company has ensured that all Veeam databases are now secured appropriately.

However, BleepingComputing pointed out that misconfigured MongoDB databases - the software was originally distributed without security features turned on by default - ought to be a thing of the past given the number of data spillages involving misconfigured MongoDB databases.