The Moscow-based document scanning company Abbyy inadvertently exposed thousands of customers’ corporate documents when a server was left misconfigured, a security analyst said.
The exposure is the latest involving misconfigured MongoDB databases, which have involved a number of high-profile companies in recent months.
Independent security researcher Bob Diachenko said when he found the server through the Shodan search engine it was configured for access without a password.
The server was hosted on Amazon’s cloud-based AWS platform, which has hosted so many misconfigured databases that Amazon created an automated tool to alert users when they’ve accidentally left data publicly accessible.
Diachenko said the server contained 142GB of data, including large amounts of sensitive information.
“The MongoDB in question… contained a large chunk of scanned documents (more than 200,000 contracts, (non-disclosure agreements), memos, letters and other internal documentation…) which apparently were stored by Abbyy partners using their administration console,” Diachenko wrote in an advisory.
After determining the database belonged to Abbyy, he contacted the company, which quickly closed off access to the data earlier this month.
It was unclear how long the data was exposed or who may have accessed it.
Abbyy said the breach affected only one customer, but didn’t specify who it was.
The company provides document-scanning services to a number of large corporate clients, including Volkswagen, PepsiCo, McDonald’s and the Australian Taxation Office.
Abbyy said it had restricted access to the documents as soon as it was notified, and said the breach was a “one-off incident” that didn’t compromise other services, products or clients.
“Our commitment to security and trust is extremely important,” Abbyy said in a statement. “Further analysis is ongoing.”
Firms recently affected by MongoDB misconfigurations include a virtual keyboard for Android called AI.type, which has more than 40 million users, and the popular app Sitter, which connects parents with babysitters.
Last year the Australian government exposed the details of tens of thousands of government and bank employees through an AWS server, while a security firm leaked the CVs of thousands of former US military personnel.
Workers at Amazon warehouse near Raleigh vote against joining union, as company continues to challenge…
High-profile meeting with tech leaders seen as signal China is boosting tech sector after years…
South Korea hopes to gain leg up in international AI race with infusion of private…
Chinese electric vehicle giants rush to incorporate DeepSeek AI tech to cars after it creates…
South Korean data authority suspends Chinese AI start-up DeepSeek from Apple, Google app stores while…
Privacy advocates criticise Google over decision to allow companies to track users via digital fingerprints,…