A Dutch cybersecurity firm reports that its lead researcher recently discovered a massive 4TB SQL Server backup file belonging to EY openly exposed online, potentially revealing the global consulting giant’s internal secrets.
According to Neo Security’s write-up, the unsecured .bak file contained highly sensitive information, including API keys, cached authentication tokens, session tokens, service account passwords, and user credentials.
“Finding a 4TB SQL backup exposed to the public internet is like finding the master blueprint and the physical keys to a vault, just sitting there — with a note that says ‘free to a good home,’” the firm wrote.
The researcher, who remained unnamed, verified that the file was also unencrypted after downloading a small portion for analysis. Neo Security said the exposure stemmed from a classic cloud storage misconfiguration, a mistake it has seen cause devastating breaches in the past.
The firm recalled a similar incident in which a company made a database backup temporarily public during migration. Automated scans detected the exposed bucket within minutes, leading to a full data theft that ultimately forced the victim company to shut down.
“Modern cloud platforms make it incredibly simple to export and back up your databases,” Neo Security noted. “But one wrong click or typo can expose terabytes of confidential data to the entire internet. The tools prioritize convenience — not security.”
It remains unclear how long EY’s backup was publicly accessible, though Neo Security warned that in such cases, it’s safest to assume compromise once exposure is confirmed.
The researcher was eventually able to reach EY’s incident response team after some weekend cold-messaging through LinkedIn. Neo Security praised EY’s handling of the situation as prompt and professional. The exposed file was secured within a week.
