A team at network security outfit vpnMentor was scanning cyber-space as part of a web-mapping project when they happened upon a Graylog management server belonging to Tech Data that had been left freely accessible to the public. Within that database, we’re told, was a 264GB cache of information including emails, payment and credit card details, and unencrypted usernames and passwords. Pretty much everything you need to ruin someone’s day (or year).
The exposure, vpnMentor told The Register today, is particularly bad due to the nature of Tech Data’s customers. The Fortune 500 distie provides everything from financing and marketing services to IT management and user training courses. Among the clients listed on its site are Apple, Symantec, and Cisco.
“This is a serious leak as far as we can see, so much so that all of the credentials needed to log in to customer accounts are available,” a spokesperson for vpnMentor told El Reg. “Because of the size of the database, we could not go through all of it and there may be more sensitive information available to the public than what we have disclosed here.”
In addition to the login credentials and card information, the researchers said they were able to find private API keys and logs in the database, as well as customer profiles that included full names, job titles, phone numbers, and email and postal addresses. All available to anyone who could find it.
vpnMentor says it discovered and reported the open database on June 2 to Tech Data, and by June 4 the distie had told the team it had secured the database and hidden it from public view. Tech Data did not respond to a request for comment from The Register. The US-based company did not mention the incident in its most recent SEC filings.