Veeam server lapse leaks over 440 million email addresses

You know what isn’t a good look for a data management software company? A massive mismanagement of your own customer data.

Veeam, a backup and data recovery company, bills itself as a data giant that among other things can “anticipate need and meet demand, and move securely across multi-cloud infrastructures,” but is believed to have mislaid its own database of customer records.

Security researcher Bob Diachenko found an exposed database containing more than 200 gigabytes of customer records, mostly names, email addresses, and in some cases IP addresses. That might not seem like much but that data would be a goldmine for spammers or bad actors conducting phishing attacks.

Diachenko, who blogged about his latest find, the database didn’t have a password and could be accessed by anyone knowing where to look.

The database of more than 200 gigabytes — including two collections that had 199.1 million and 244.4 million email addresses and records respectively over a four-year period between 2013 and 2017. Without downloading the entire data set, it’s not know how many records are duplicates.

After TechCrunch informed the company of the exposure, the server was pulled offline within three hours.

When initially reached for comment, Veeam spokesperson Heidi Kroft said: “We will continue to conduct a deeper investigation and we will take appropriate actions based on our findings.”

Veeam says on its website that it has 307,000 customers covering most of the Fortune 500.

It’s not the first time a massive database of email addresses has leaked online. An exposed database run by River City Media leaked over 393 million email addresses in 2017, which prompted a frivolous lawsuit against the security researcher who found it. And, later in the year, a massive spambot of 711 million email addresses, believed to be largest ever, was uncovered last year by a Paris-based researcher.