- Security researchers discovered a major database with more than 3 million records
- Belongs to Builder.ai, a low-code/no-code platform
- Contains confidential information, NDA and more.
Builder.ai may have unintentionally exposed sensitive information about millions of its users, researchers said.
Jeremiah Fowler, a security researcher known for searching non-password-protected databases containing sensitive information, said he discovered an archive with more than 3 million records.
The database is owned by Builder.ai, a British no-code/low-code platform that allows businesses to quickly and affordably build custom software applications without requiring deep technical knowledge.
Complexities with dependent systems
Fowler said the database contained 3,077,542 records, with a total size of 1.29TB, including cost proposals, NDA agreements, invoices, tax documents, screenshots of email correspondence, internal image files and much more.
“Among the most concerning files were two documents indicating access and configuration details for two separate cloud storage databases that also included secret access keys,” Fowler said on Website Planet.
“It is hypothetically possible that those access keys could have revealed additional potentially sensitive data if they fell into the wrong hands.”
In total, there were 337,434 invoices and 32,810 files called Framework Service Agreements. The latter also contained NDA agreements with names, emails, IP addresses, project cost summaries, and other project details.
Fowler revealed his findings to Builder.ai, however, he was unable to lock the database even a month later, citing “complexities with dependent systems”, and it is unknown if the database is still open and accessible.
Misconfigured databases remain one of the main reasons for data leaks on the Internet. Many researchers warn that organizations do not understand the shared security model present in most cloud service providers and that they end up generating huge databases, full of valuable information, open and accessible to everyone.
If cybercriminals were to find these files, they could use the information they contain to conduct phishing attacks, identity theft, and possibly even wire fraud.
