EY reportedly leaked a massive 4TB database online - exposing company secrets online for all to see

News
By published

EY says it acted fast to clean up the mess

An abstract image of a database
(Image credit: Image Credit: Pixabay)
  • EY exposed a 4TB SQL backup online containing sensitive credentials and application secrets
  • Neo Security warned EY; researchers suspect threat actors may have already accessed the data
  • EY responded professionally but took a week to fully remediate the issue

Ernst & Young (EY), one of the world’s biggest accounting companies, kept a complete database backup on the public internet, available to anyone who knew where to look. The backup, a .BAK file, was 4 TB in size, and contained sensitive information such as schema, data, stored procedures, and “every secret stored in those tables”.

This is according to a security researcher at Neo Security, who was doing “low-level tooling work” when an SQL Server BAK file caught his attention.

The researcher did not download the entire database (because that would be a felony), but claims these files usually contain “API keys, session tokens, user credentials, cached authentication tokens, service account passwords. Whatever the application stored in the database. Not just one secret... all the secrets.”

"Textbook perfect" response

The researchers explained that the ramifications might have been enormous. A single BAK file, exposed for just a few minutes, was enough for a company to get breached and infected with ransomware.

“Finding a 4TB SQL backup exposed to the public internet is like finding the master blueprint and the physical keys to a vault, just sitting there. With a note that says "free to a good home.",” they warned.

As soon as their suspicions were confirmed, the researchers reached out to EY to warn them about the findings. They didn’t know how long the database remained open for, and said that every responsible researcher should assume that by that time, multiple threat actors already stole it.

Still, they praised EY for their response, saying the company’s IT team was “Textbook perfect.”

“Professional acknowledgment. No defensiveness, no legal threats. Just: "Thank you. We're on it."

Still, it took EY a full week to get the issue fully triaged and remediated - a lot of time for an issue in which every second matters.

"Several months ago, EY became aware of a potential data exposure and immediately remediated the issue," EY told TechRadar Pro in a statement.

"No client information, personal data, or confidential EY data has been impacted. The issue was localized to an entity that was acquired by EY Italy and was unconnected to EY global cloud and technology systems."

Via The Register

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.