A US Department of Defense cloud server was found wide open on the internet, leaking vast amounts of sensitive US military emails.
A white hat hacker discovered a US Department of Defense (DoD) cloud server that was left exposed on the internet for at least two weeks before it was taken offline by the government.
The known white hat security researcher, Anurag Sen, confirmed the discovery with Cybernews on Tuesday.
Sen said he found the open Pentagon server on Saturday, February 18 while using the Shodan search engine.
The Pentagon server, hosted on the Microsoft Azure Government cloud, was part of an internal mailbox system containing roughly three terabytes of internal military emails – many connected to the US Special Operations Command (USSOCOM), as first reported by TechCrunch.
Sen said: “It was registered under US DoD Azure emailing server. So that’s how I confirmed it belonged to US DoD.”
Shodan is often used by developers and ethical hackers – as well as the bad guys – to scan the internet for connected devices.
Sen told Cybernews “the server was open without any authentication since February 8”, but was not able to confirm one way or another if anyone else had seen the leaked emails.
“There was no authentication. Anyone knowing [the] IP address and how to look could have access to it,” said Sen.
On the same day he found the leak, Sen said he reported it to the news outlet TechCrunch.
The news outlet then “asked the DoD to confirm it [the leak] through verifying their logs”, said Sen.
USSOCOM spokesperson Ken McGraw told the news outlet in an email an official investigation was underway since Monday.
“We can confirm at this point is no one hacked US Special Operations Command’s information systems,” said McGraw.
Since the report, the IP address has been taken offline, although Sen said “it took time to secure due to the weekend”.
“At the time it was taken offline, the server was close to 3 TerraBytes [sic] with trove of email logs," according to Sen.
The exposed server – used solely by Department of Defense customers – can be used to share sensitive, but unclassified government data, according to TechCrunch, which was able to look at a sample of the massive collection of emails.
Some of the emails dated back years, some contained sensitive personnel information, and others contained completed federal security clearance questionnaires filled with personal health data and highly sensitive personal details, reported TechCrunch.
Sen believes someone configuring the server made some sort of mistake – a big mistake in this case.
"I couldn't confirm what was the reason, only a DoD internal investigation can tell us more about details. But as from my past experience, it's likely the result of misconfiguration done by human error," Sen said.
Cybernews will follow the story.
More from Cybernews:
Subscribe to our newsletter