This article is more than 1 year old

Back up a minute: Veeam database config snafu exposed millions of customer records

Firm helps self with own disaster recovery

A misconfigured server at data recovery and backup firm Veeam exposed millions of email addresses.

Close up of tangled tape

Reel talk: You know what's safely offline? Tape. Data protection outfit Veeam inks deal with Quantum


Security researcher Bob Diachenko discovered the 200GB cache of email addresses, names and (in some cases) IP addresses before notifying Veeam. The resource, which might easily have lent itself to spam and (perhaps) phishing attacks in the hands of cyber criminals, has since been pulled offline.

Diachenko discovered the Amazon-hosted MongoDB resource using Shodan, the machine data and IoT search engine. The data – seemingly collected between 2013 and 2017 – was neither password-protected nor encrypted. The researcher initially assessed the records breached to number 445 million, which seems a little unlikely judging by the disaster recovery specialist's size. In January this year, Veeam told investors it had an installed base of 282,000 customers.

Just last month, the data protection company was boasting about hooking up with tape storage outfit Quantum to produce a converged tape appliance. Ironically, it recommended the gear to customers as a "best practice data protection strategy" because of tape's status as an "offline" storage medium. Things like ensuring sensitive stuff is "not physically connected to the network" are indeed part of a solid plan of action on safeguarding data, sort of like one where you encrypt or at least password-protect the information which must be networked. Ah well, perhaps it should have consulted a data protection, er...

El Reg approached Veeam for comment on the apparent inadvertent server leak snafu.

In a canned statement, Veeam confirmed the stray database is now inaccessible, adding a variant of the standard corporate mantra on the occasion any breach that it takes security seriously.

It has been brought to our attention that one of our marketing databases, leaving a number of non-sensitive records (i.e. prospect email addresses), was possibly visible to third parties for a short period of time. We have now ensured that ALL Veeam databases are secure. Veeam takes data privacy and security very seriously, and a full investigation is currently underway.

Veeam refused to comment on the number of emails exposed as it is currently probing the debacle.

In related technology news, unsecured and internet accessible MongoDB databases are being wiped by crooks who subsequently make extortionate demands. Some victims have been paying ransoms demanded through the so-called Mongo Lock scam, as evidenced by the payment of funds in Bitcoin wallets linked to the racket. ®

More about

More about

More about


Send us news

Other stories you might like