European cloud provider Nextcloud leaks 367K records, exposing staff and clients
Exposed data includes scripts tailored for clients to set up Nextcloud.

Image by Cybernews.
- Nextcloud exposed 367,000 internal records after a hosting misconfiguration left an Elasticsearch database publicly accessible.
- The leaked files included invoices, contracts, employee details, emails, and setup scripts.
- Nextcloud said it fixed the issue, notified the state data protection officer, and found no evidence of exploitation.
- Exposed email data and scripts could help attackers craft phishing messages or probe client systems for weaknesses.
Key Takeaways by nexos.ai, reviewed by Cybernews staff.
The German modular workspace platform left a database unprotected, spilling invoices, contracts, scripts for managing Nextcloud infrastructure, and numerous other files. The company says no customer servers were exposed in the incident.
On May 18th, our research team discovered an exposed dataset containing 367,000 records. An investigation revealed that the cluster, with nearly 8GB of data, contained internal Nextcloud data.
Nextcloud is an open-source service that allows users to operate services similar to Google Drive or Dropbox, but with data stored locally on users’ or organizations’ servers. The service was recently touted as an integral part of Euro-Office, the European alternative to Microsoft Office and Google Docs.
The exposed files include a plethora of sensitive data, such as Nextcloud employee data, client company data, numerous contracts, and scripts developed for the company’s clients to integrate the service on their systems, potentially opening up their systems to threat actor activity.
“The data leak reveals that data security is important regardless of where the files are stored. Even though Nextcloud offers storage solutions that are set up and maintained on client servers, it does not mean that security measures should end there, too,” the team explained.
Nextcloud closed the exposed dataset two days after our researchers contacted the company, and the data is no longer public. We do not have evidence of unauthorized access to the exposed files.
However, if our team managed to discover the exposed dataset, threat actors may have too. Malicious attackers operate numerous bots on the web that scour the net looking for exactly that: misconfigured databases with data to steal.
The issue was caused by a misconfiguration of our hosting infrastructure and is not related to the Nextcloud solution. No other Nextcloud servers belonging to our customers, partners or other users have been affected by this issueNextCloud explained.
Meanwhile, NextCloud told Cybernews the company investigated the issue immediately after receiving the report, resolved it and reported it to the relevant state data protection officer. According to NextCloud, the company is unaware of anyone exploiting the leaked data.
“The issue was caused by a misconfiguration of our hosting infrastructure and is not related to the Nextcloud solution. No other Nextcloud servers belonging to our customers, partners or other users have been affected by this issue,” the company’s spokesperson said.
Nextcloud data leak: What information was exposed?
The team discovered the data leak on a publicly exposed ElasticSearch cluster. Organizations and businesses use Elasticsearch because it enables them to manage and analyze large volumes of data.
However, users sometimes leave the cluster misconfigured, inadvertently opening it up to the public. In the vast majority of cases, this happens because of simple human error.
The exposed dataset contained 7.92GB of data with 367K records exposed in total. The biggest categories of file types in the exposed dataset were:
- .pdf - around 71k
- .png - around 53k
- .md - around 23k
According to the team, all of the exposed records were found in a single index, corresponding to internal Nextcloud files. However, at least some records revealed client company information and information about Nextcloud staff.
What makes matters worse is that some of the data was unencrypted. For example, the unencrypted files included invoices that Nextcloud sent to their clients, as well as invoices the company received.
According to the team, invoices revealed Nextcloud employee email addresses, client company names and addresses, and the email addresses of individuals who sent invoices to Nextcloud.
For example, among the external email domains, the team found IONOS and STRATO, two established web hosting providers, as well as German government institutions, such as MSB NRW (Ministry of Schools and Education of the State of North Rhine-Westphalia).
“Among the exposed unencrypted records we noticed invoices, contracts, and email messages, all of which reveal business partnership information between Nextcloud and their clients,” the team explained.
Other unencrypted content included:
- Shell and Python scripts tailored for clients to set up and manage Nextcloud on their infrastructure. Some records include hardcoded database credentials.
- .eml files. Records included unencrypted email content, timestamps, as well as sender and recipient email addresses.
- Files with lists of people who signed up to use beta features, and other Nextcloud integrations, revealing full names and work email addresses.
- Contracts, templates, summaries, and other documents containing client-provider partnership details, such as the scope of work, user base, and other terms and conditions between the parties.
Meanwhile, other exposed records contained:
- HTTP headers (content type, length, language, timestamps, etc.)
- Users the files were shared with. Most of these entries show first names of likely Nextcloud staff, but some external email addresses were observed as well
- Path to file, file name, and format
- MD5 file hashes
Stay updated with our latest stories and follow us on social media
Be the first to discover new stories, ideas, and updates from our team.
What risks does the Nextcloud data leak pose?
While the data leak doesn’t directly affect Nextcloud's infrastructure, the incident still increases cybersecurity risks for the cloud service provider, its employees, and potentially exposed clients.
“Employees of both Nextcloud and its clients are at risk for targeted social engineering attacks,” our researchers explained.
Exposed invoices, email addresses, and other personal identifiers enable threat actors to craft convincing phishing emails by impersonating either Nextcloud or its clients. Recent major hacks, such as the devastating Salesforce attack, involved social engineering techniques as a starting point.
Another major risk is exposed scripts that were used to set up Nextcloud for clients. While relying on this data wouldn't be enough to fully penetrate client systems, our team believes it could be used to uncover system vulnerabilities. These, in turn, can be used for unauthorized access.
Disclosure timeline:
- Leak discovered: May 18th, 2026
- Initial disclosure: May 25th, 2026
- Leak closed: May 27th, 2026
Check if your data has been leaked