Ernst & Young, one of the Big Four accounting firms, inadvertently exposed a massive 4-terabyte SQL Server backup file on Microsoft Azure, a configuration error that could have provided attackers with access to sensitive financial records, credentials, and authentication tokens belonging to major corporations.
Security researchers from Neo Security discovered the publicly accessible database backup through routine attack surface mapping, highlighting a critical vulnerability in modern cloud infrastructure management.
The exposure represents one of the most significant cloud misconfiguration incidents in recent memory.
A single 4TB SQL Server backup (.BAK) file contained not just database schemas and stored procedures, but potentially millions of API keys, session tokens, user credentials, cached authentication tokens, and service account passwords.
For any organization handling sensitive financial data and corporate intelligence, this represents an existential threat to data security and client confidentiality.
The discovery process began with passive reconnaissance.
A Neo Security researcher noticed an unusual HTTP response during routine network traffic analysis a HEAD request returned metadata indicating a 4-terabyte file accessible from the public internet.
The file naming conventions and magic bytes (the digital fingerprint of file types) immediately confirmed the worst-case scenario: an unencrypted SQL Server database backup sitting openly accessible to anyone with an internet connection.
The Verification and Responsible Disclosure
Confirming the exposure belonged to EY required meticulous detective work. DNS SOA record lookups ultimately pointed to ey.com, revealing the organization behind the misconfigured Azure storage.
Rather than downloading the entire file, which would constitute a felony, the researcher analyzed the first kilobytes to confirm file integrity and format authenticity.
The attack surface was unmistakably a complete database backup containing mission-critical data.
Neo Security faced the challenging reality of responsible disclosure.
With no readily available security contact information and the incident occurring over a weekend, the team conducted cold outreach through LinkedIn, eventually connecting with EY’s security team.
The response was exceptional: no defensiveness, no legal threats, just professional incident response. Within one week, EY’s CSIRT had triaged and fully remediated the exposure.
The incident underscores a fundamental vulnerability in modern cloud architecture: the gap between infrastructure complexity and human oversight. Cloud platforms prioritize convenience over security defaults.
A single misconfigured Access Control List (ACL) changing permissions from private to public transforms an entire terabyte-scale backup into a publicly accessible goldmine for threat actors.
The real danger isn’t sophisticated attackers specifically targeting organizations; it’s the massive distributed scanning infrastructure that never sleeps, continuously sweeping the internet’s entire IPv4 space to identify exposed data buckets within seconds.
Previous incidents illustrate the urgency. A fintech company fell victim to ransomware after an engineer temporarily exposed a backup to public access for five minutes.
During that narrow window, distributed scanners identified and exfiltrated the entire database. When exposed assets exist on the public internet, the question isn’t whether attackers found them; it’s how many did.
Organizations cannot defend what they don’t know they own. Attack Surface Management has evolved from an optional security enhancement to an essential infrastructure necessity.
Continuous, automated adversarial visibility matching the scanning capabilities threat actors deploy represents the only viable defense against cloud misconfiguration catastrophes.
EY’s experience demonstrates that even the most resourced organizations remain vulnerable without relentless oversight of their expanding attack surface.
Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today
%20(1).webp?resize=1600,900&ssl=1&description=Security researchers from Neo Security discovered the publicly accessible database backup through routine attack surface mapping){kind=link}