A poorly secured database leaves 16Tb of personal data exposed online

Cybersecurity researchers working with Cybernews have uncovered a massive, unsecured MongoDB database containing an estimated 4.3 billion records totaling over 16 terabytes (TB) of highly detailed professional and corporate intelligence data.

The discovery, made by researcher Bob Diachenko, highlights the persistent and catastrophic risk posed by simple database misconfiguration, which continues to plague organizations relying on NoSQL systems like MongoDB.

The goldmine for cybercriminals

The leaked dataset is one of the largest lead generation data troves ever found on the open internet. It was meticulously organized, strongly suggesting it was derived from an extensive scraping and enrichment operation, potentially sourced from sites including LinkedIn.

The exposed information, spanning nine unique collections within the database, included billions of records featuring:

• Full Names and Email Addresses

• Phone Numbers

• LinkedIn URLs and Profile Handles

• Employment Histories and Educational Attainments

• Location Details

• Social Media Accounts

Security analysts warn that this data is a "social engineering goldmine." Its highly structured nature, including one collection labeled "intent" with over 2 billion documents, enables malicious actors to craft highly convincing and targeted spear-phishing campaigns and Business Email Compromise (BEC) attacks against companies and professionals globally.

The misconfiguration problem

The researchers discovered the database on November 23, 2025, finding that the instance had been deployed without any password authentication or other security measures, leaving it wide open to the public internet.

This exposure was not the result of a complex hack but a "blatant oversight." The common development practice of disabling authentication for convenience during testing, and then forgetting to re-enable it before pushing to a live environment, was cited as the likely cause.

After being alerted by Cybernews, the instance's owners secured the database within two days. However, the identity of the owner remains unconfirmed, and the duration during which the 16TB of data was publicly accessible remains unknown, raising concerns about potential past exploitation.

Experts stress that the incident serves as a critical warning for all companies utilizing self-managed databases to adhere strictly to the "secure by default" principle and regularly audit cloud security posture to prevent such catastrophic, yet avoidable, leaks.