Businessman holding magnifying glass showing cloud database data leak

Global Network Service Provider Misconfigured Cloud Data Leak Exposes Over 380 Million Records

A global network service provider data leak has exposed over 380 million records of infrastructure and customer information via a misconfigured cloud database.

Website Planet’s cybersecurity researcher Jeremiah Fowler, who discovered the massive leak, linked the exposed server to an on-demand cloud services provider, ZenLayer.

The Los Angeles and Shanghai-based company provides various connectivity solutions, including SD-WAN (Software-Defined Wide Area Network), CDN (Content Delivery Network), and cloud services. With offices across various locations, including Mumbai, Hong Kong, and Singapore, it operates over 290 data centers across six continents.

The non-password-protected database exposed 380 million records, which included Zenlayer internal network architecture information.

“The publicly exposed database contained 384,658,212 records (totaling 57.46 GB) that included internal files and exposed customer data,” Fowler wrote in a blog post. “Upon further review, the records indicated that the data belonged to Zenlayer.”

Fowler notified the service provider but initially received no response, although the cloud misconfiguration was addressed, and public access was limited.

However, he could not determine how long the cloud database was exposed and if any third parties accessed the information.

Zenlayer data leak exposed infrastructure information

“The database contained a considerable number of server, error, and monitoring logs that detailed internal information and customer data,” Fowler said.

These records expose sensitive information, putting impacted individuals and organizations at risk of various cyber-attacks. Access Logs store information about server requests, including IP addresses communicating with the host, requested resources, HTTP methods invoked, and response status codes. Error logs record server issues encountered, allowing administrators to identify and debug various technical problems. Security logs enumerate various security events, including security issues, login attempts, and authentication failures. System Logs record system-level events, such as server startup and shutdown sequences, hardware and software errors, and other system-related activities.

“Among the records I saw in the database, there were folders with logging records marked as application, dashboard, vendor, notification, messaging, project management, workflow, and security,” Fowler explained.

The researcher also identified VPN records exposing numerous IP addresses marked as host IP, controller IP, IP LAN, jumper IP, and PXE IPM. He warned that leaking VPN IP addresses exposes an organization’s internal network infrastructure, allowing threat actors to map the network, identifying potential targets for future cyber attacks.

Customer information exposed in Zenlayer data leak

The Zenlayer data leak also exposed the names and email addresses of authorized individuals, exposing them to phishing and social engineering attacks. The researcher searched and identified email accounts, user roles, and internal IDs of senior leadership.

Similarly, customer information associated with subdomains was exposed in a URL format viewable in any browser.

“Each of these records indicated the customer’s email, phone number, ID number, billing method, name of the business, and number of employees,” noted Fowler.

The exact number of individuals impacted by the Zenlayer data leak remains undetermined at the moment.

Additionally, company registration details were exposed in the Zenlayer data leak. They included details of a certain telecom firm partially owned by a sanctioned Russian government entity suspected of Border Gateway Protocol hijacking. BGP hijacking involves rerouting internet traffic via an attacker’s network to intercept sensitive information.

Despite Zenlayer’s initial silence on the matter, the cloud services provider acknowledged the data leak, adding that it was working with the security researcher and would release additional details soon.