A massive data leak at Builder.ai has exposed sensitive information of over 3 million users, according to recent findings by security researcher Jeremiah Fowler. The British no-code/low-code platform, which helps businesses create custom software applications, left a substantial database unprotected and accessible online.
The exposed database, totaling 1.29TB in size, contained 3,077,542 records including confidential business documents such as:
- Non-disclosure agreements (NDAs)
- Cost proposals and invoices
- Tax documents
- Email correspondence screenshots
- Internal image files
- Cloud storage access credentials
Of particular concern were documents containing access keys and configuration details for two separate cloud storage systems, which could potentially grant unauthorized access to additional sensitive information.
The leak included 337,434 invoices and 32,810 Master service agreements containing NDAs. These documents exposed various user details including names, email addresses, IP addresses, and project cost summaries.
When notified about the security breach, Builder.ai reportedly struggled to secure the database, citing "complexities with dependent systems." It remains unclear whether the database has since been properly protected.
Security experts warn that this type of data exposure could enable cybercriminals to conduct sophisticated phishing attacks, commit identity theft, or perpetrate wire fraud schemes. The incident highlights an ongoing issue with misconfigured databases in cloud environments, where organizations often fail to implement proper security measures.
This breach serves as a reminder for companies to regularly audit their cloud security settings and understand their responsibilities in protecting sensitive user data.