Summary
Researchers at Neo Security discovered a 4TB+ unencrypted SQL Server .BAK backup belonging to EY exposed on the public internet via a misconfigured cloud storage bucket. The file reportedly contained highly sensitive material including API keys, cached authentication and session tokens, service account passwords and user credentials. The lead researcher downloaded a small sample of the file to confirm its contents and notified EY; the firm responded and remediated the exposure within about a week.
Neo Security likened finding such a large unprotected backup to discovering the “master blueprint and the physical keys to a vault” — and warned that convenience-first cloud tooling makes it easy to accidentally publish terabytes of private data. The length of time the data was publicly accessible is unknown, and Neo advises treating the backup as compromised from the moment it was exposed.
Key Points
- A 4TB+ SQL Server backup (.BAK) belonging to EY was publicly accessible in a cloud bucket and unencrypted.
- The backup included API keys, cached and session tokens, service account passwords and user credentials — all high-risk data for attackers.
- Exposure was due to a classic cloud bucket misconfiguration; automated scanners can find such leaks in minutes.
- Neo Security confirmed the leak by downloading initial bytes and promptly contacted EY; EY’s incident response was praised and the issue was remediated within days.
- Past incidents show even brief public access is enough for attackers to steal backups; organisations should assume compromise once a public exposure is discovered.
- Mitigations include rotating credentials, auditing buckets, enforcing least privilege, encrypting backups and improving automation and alerts around bucket permissions.
Context and Relevance
This is a major example of how human error and permissive cloud defaults combine to create systemic risk. Big consultancies hold vast amounts of client and internal data; an exposed 4TB backup containing credentials and tokens can enable broad account takeover, lateral movement and supply-chain impact. The incident echoes numerous prior breaches where simple misconfigurations were all attackers needed.
For security teams, it underlines two continuing trends: (1) cloud convenience increases the chance of accidental mass exposure, and (2) credential/token leakage is often the pivot that turns an exposure into a catastrophic breach. Organisations should bake automated checks, default-deny bucket policies and mandatory encryption into their backup workflows, and practise rapid credential rotation and incident communication plans.
Why should I read this
Short version: if a Big Four firm can leave the keys lying around, your outfit probably can too. This story shows exactly what goes wrong — and what immediate steps to take — so you can avoid being the next cautionary tale.
Source
Source: https://go.theregister.com/feed/www.theregister.com/2025/10/29/ey_exposes_4tb_sql_database/