On Monday, the U.S. Department of Defense shut down a server that had been leaking private emails from the American military to the public internet for the previous two weeks.
The exposed server was housed on a Department of Defense server that was part of Microsoft’s Azure government cloud, which uses servers that are physically isolated from other commercial customers and can therefore be used to share private but unclassified government information. The exposed server was a component of an internal mailbox system that contained about three terabytes of internal military emails, many of which were about USSOCOM, the American military organization responsible for carrying out special military operations.
However, due to a misconfiguration, the server was left without a password, making it possible for anyone with access to the internet to view the private mailbox data by simply knowing the server’s IP address.
Anurag Sen, a trustworthy security researcher well known for finding private information that has unintentionally leaked online, discovered the exposed server over the weekend and informed TechCrunch so that we could notify the American government.
The server was crammed with old internal military emails, some of which contained private information about personnel. A completed SF-86 questionnaire, which is filled out by federal employees seeking a security clearance and contains extremely sensitive personal and health information for screening people before they are cleared to handle classified information, was included in one of the exposed files. These employee questionnaires include a good deal of background data on security clearance holders that is useful to foreign foes. In a data breach at the U.S. Office of Personnel Management in 2015, suspected Chinese hackers stole millions of private background check files of government workers seeking security clearance.
Since classified networks are inaccessible from the internet, TechCrunch’s scant data did not appear to be any of it, which would be consistent with USSOCOM’s civilian network.
The mailbox server was discovered to be leaking data for the first time on February 8, according to a listing on Shodan, a search engine that crawls the internet for exposed systems and databases. Although the exact circumstances are unclear, it is most likely the result of a configuration error brought on by a human.
While a US holiday weekend was underway, USSOCOM was contacted by TechCrunch on Sunday morning; however, the exposed server wasn’t secured until Monday afternoon. An upper-level Pentagon official who was reached by email acknowledged that USSOCOM had been given information about the exposed server. The server soon became inoperable.
Ken McGraw, a spokesman for USSOCOM, stated in an email on Tuesday that an investigation that started on Monday is ongoing. The information systems of U.S. Special Operations Command have not been hacked, we can confirm at this time, said McGraw.
It is unknown whether anyone else besides Sen discovered the exposed information during the two weeks that the cloud server was reachable via the internet. The Department of Defense was asked by TechCrunch if it has the technical capacity to identify any evidence of unauthorized access or data exfiltration from the database using logs, but the spokesperson did not respond.