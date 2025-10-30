EY exposed a 4TB SQL backup online containing sensitive credentials and application secrets

Neo Security warned EY; researchers suspect threat actors may have already accessed the data

EY responded professionally but took a week to fully remediate the issue

Ernst & Young (EY), one of the world’s biggest accounting companies, kept a complete database backup on the public internet, available to anyone who knew where to look. The backup, a .BAK file, was 4 TB in size, and contained sensitive information such as schema, data, stored procedures, and “every secret stored in those tables”.

This is according to a security researcher at Neo Security, who was doing “low-level tooling work” when an SQL Server BAK file caught his attention.

The researcher did not download the entire database (because that would be a felony), but claims these files usually contain “API keys, session tokens, user credentials, cached authentication tokens, service account passwords. Whatever the application stored in the database. Not just one secret... all the secrets.”

"Textbook perfect" response

The researchers explained that the ramifications might have been enormous. A single BAK file, exposed for just a few minutes, was enough for a company to get breached and infected with ransomware.

“Finding a 4TB SQL backup exposed to the public internet is like finding the master blueprint and the physical keys to a vault, just sitting there. With a note that says "free to a good home.",” they warned.

As soon as their suspicions were confirmed, the researchers reached out to EY to warn them about the findings. They didn’t know how long the database remained open for, and said that every responsible researcher should assume that by that time, multiple threat actors already stole it.

Still, they praised EY for their response, saying the company’s IT team was “Textbook perfect.”

“Professional acknowledgment. No defensiveness, no legal threats. Just: "Thank you. We're on it."

Still, it took EY a full week to get the issue fully triaged and remediated - a lot of time for an issue in which every second matters.

Via The Register

