Cybersecurity researcher Anurag Sen said Tuesday he discovered an exposed Department of Defense computer server containing a large trove of internal U.S. military emails.
Mr. Sen said the Microsoft Azure server contained approximately three terabytes of data, and he shared some of the information with The Washington Times, including emails involving U.S. Special Operations Command.
Precisely who else may have had access to the data is not fully known.
“The server … was left exposed without any authentication likely due to misconfiguration. This happens most likely due to human error,” Mr. Sen said.
The likely human error meant the server was not password protected and anyone who knew where to look would have had access after the misconfiguration occurred approximately two weeks ago, he said.
SOCOM declined to comment Tuesday and referred questions to U.S. Cyber Command, which did not immediately answer.
Mr. Sen said he discovered the problem while doing a routine check and he did not contact the U.S. government directly out of fear that it may incorrectly view him as a threat. He said he discovered the vulnerability Saturday and contacted the tech publication TechCrunch, who then alerted the U.S. government.
Mr. Sen previously collaborated with TechCrunch Security Editor Zack Whittaker, who reported Tuesday that Mr. Sen was a “good-faith security researcher.”
Mr. Whittaker wrote that the exposed server was secured on Monday after he contacted the U.S. government on Sunday. SOCOM told TechCrunch on Tuesday morning that no one had hacked its information systems.
Emsisoft Threat Analyst Brett Callow said server misconfigurations can enable the exposure of sensitive information that could be used for several purposes. One potential scam enabled by misconfigurations is spearphishing, which involves using electronic communications such as email to trick someone into giving improper access or sensitive information.
Details on who was responsible for allegedly making the server vulnerable remained unclear. Microsoft did not immediately answer questions on Tuesday, including whether it bore responsibility for the exposed server.
Problems with Microsoft’s tech previously enabled hacks from China-sponsored attackers. For example, Microsoft said in March 2021 that it observed the China-sponsored Hafnium using previously unknown exploits to attack Microsoft Exchange Server software.
The Biden administration later identified China as the culprit behind the malicious activity against Microsoft, pointing to China’s Ministry of State Security as responsible for the cyberattacks aimed at Microsoft Exchange Server email software. The U.S. government formally attributed the attacks to China in the summer of 2021 alongside several other countries.