The U.S. Department of Defense has secured an exposed server that had been leaking internal U.S. military emails to the open internet for two weeks. The server was hosted on Microsoft’s Azure government cloud for Department of Defense customers, which is used to share sensitive but unclassified government data. The server was part of an internal mailbox system containing about three terabytes of internal military emails, many of which pertained to U.S. Special Operations Command. The misconfiguration left the server without a password, allowing anyone on the internet access to sensitive mailbox data using only a web browser and the IP address.
Good-faith security researcher Anurag Sen discovered the exposed server over the weekend and provided details to TechCrunch, which alerted the U.S. government. The server contained internal military email messages dating back years, some of which contained sensitive personnel information, including a completed SF-86 questionnaire that contains highly sensitive personal and health information for vetting individuals before they are cleared to handle classified information. These personnel questionnaires contain a significant amount of background information on security clearance holders valuable to foreign adversaries.
None of the limited data seen by TechCrunch appeared to be classified, which would be consistent with USSOCOM’s civilian network as classified networks are inaccessible from the internet. The mailbox server was first detected as spilling data on February 8, according to a listing on Shodan, a search engine that crawls the web for exposed systems and databases. It is not clear how the mailbox data became exposed to the public internet, but it is likely due to a misconfiguration caused by human error.
An investigation began on Monday and is currently underway. A senior Pentagon official confirmed they had passed details of the exposed server to USSOCOM. The spokesperson did not say whether the Department of Defense had the technical ability to detect any evidence of improper access or data exfiltration from the database during the two-week window that the cloud server was accessible from the internet.
