KEY SUMMARY POINTS
- Unsecured Database: A publicly accessible Builder.ai database containing 3 million records (1.29 TB) was found without password protection or encryption, exposing critical customer and internal data.
- Exposed Sensitive Information: The leak included invoices, NDAs, tax documents, email screenshots, and cloud storage keys, putting customer PII and internal operations at risk.
- Potential Exploits: Risks include phishing, invoice fraud, unauthorized cloud access via exposed keys, and reputational damage to Builder.ai.
- Delayed Response: It took nearly a month for Builder.ai to secure the database after being notified, raising concerns about their incident response efficiency.
- Recommendations: Experts stress the need for encryption, secure storage of access keys, and segregating sensitive data to prevent similar breaches.
Builder.ai, a London, England-based AI development platform with branches in the US, Asia, Europe, and the Middle East, exposed a treasure trove of customer and internal data to public access without any security authentication or password.
This was revealed by cybersecurity researcher Jeremiah Fowler to Hackread.com who discovered a publicly accessible misconfigured database containing over 3 million records, totalling a whopping 1.29 TB of records.
According to Fowler’s report for Website Planet, the sensitive information included customer cost proposals, NDA agreements, invoices, tax documents, internal communications, secret access keys, customer PII, and email correspondence screenshots. The database contained around 337,434 invoices (18 GB) and 32,810 files (4 GB) labelled Master service agreements.
“Storing documents and access keys (e.g., Key ID and Secret Access Key) in plain text within the same database could potentially create a critical security vulnerability. In the event of an accidental exposure or unauthorized access to the database, malicious actors could use the keys to access linked systems, cloud storage, or other sensitive resources without additional authentication.”
Jeremiah Fowler
Database misconfigurations are a common issue, but a recent report highlights that even notorious hacker groups like ShinyHunters and Nemesis are actively targeting exposed databases. This shows that any such database if ended up in the hands of malicious threat actors can jeopardise the company’s reputation and user’s privacy.
Moreover, exposed documents can be a goldmine for hackers, enabling social engineering attacks such as crafting realistic fake invoices embedded with malware to exploit unsuspecting Builder.ai customers.
What’s worse, insider information within the data could be used to launch targeted phishing attempts against Builder.ai’s employees. That’s not all; leaked cloud storage access keys could grant unauthorized access to even more sensitive data stored elsewhere.
However, the risk extended further from the initial discovery. Builder.ai took an entire month to secure the database following the researcher’s notification, citing “complex system dependencies” as the reason for the delay. This explanation hints, though somewhat unclear, that the database exposure might have involved a third-party contractor.
The researcher emphasizes the importance of building systems with minimal dependencies to avoid hampering incident response. Nevertheless, to minimize risk, Fowler recommends organizations store administrative credentials and access keys securely, encrypt them, store them in a dedicated system, and separate them from other sensitive data, to prevent exploitation.
