- Security researchers discovered a large database with more than 3M records
- It belongs to Builder.ai, a low-code/no-code platform
- It contains sensitive information, non-disclosure agreements and more
Builder.ai may have unwittingly exposed sensitive information about millions of its users, researchers claim.
Jeremiah Fowler, a security researcher known for unearthing unpassword-protected databases that contain sensitive information, said he has discovered an archive with more than 3 million records.
The database is owned by Builder.ai, a British no-code/low-code platform that allows companies to quickly and affordably create custom software applications without the need for deep technical expertise.
Complexities with dependent systems
Fowler said the database contained 3,077,542 records, with a total size of 1.29 TB, including cost proposals, NDA agreements, invoices, tax documents, screenshots of email correspondence, internal image files and more.
“Among the most concerning files were two documents indicating access and configuration details of two separate cloud storage databases, which also contained secret access keys,” Fowler said. Website Planet.
“It is hypothetically possible that these access keys could have revealed additional potentially sensitive data if they fell into the wrong hands.”
In total, there were 337,434 invoices and 32,810 files labeled Master Service Agreements. The latter also contained NDA agreements with names, email addresses, IP addresses, project cost statements and other project details.
Fowler disclosed his findings to Builder.ai, but it was unable to close the database even a month later, citing “complexities with dependent systems” – and it is unknown whether the database is still open and accessible.
Misconfigured databases remain one of the top reasons for data breaches on the Internet. Many researchers warn that organizations fail to understand the shared security model of most cloud service providers, and they end up generating massive databases, filled with valuable information, that are open and accessible to anyone.
Should cybercriminals find these archives, they could use the information contained therein to conduct phishing attacks, identity theft, and possibly even wire fraud.