The more than 440 million records mostly consisted of names, email addresses and IP addresses, according to a report by TechCrunch and a blog post by security researcher Bob Diachenko.
Veeam uses such data to send automated marketing communications to its customers.
The database consisted of two collections of records gathered between 2013 and 2017, according to TechCrunch, which said some records may be duplicates. After TechCrunch alerted Veeam about the exposure, the database was pulled offline within three hours, the news outlet said.
The database wasn’t secured with a password, so it was accessible to anyone who was aware of it, Diachenko said.
Veeam confirmed that data may’ve been left visible but said the information was innocuous.
“It has been brought to our attention that one of our marketing databases, leaving a number of nonsensitive records (i.e. prospect email addresses), was possibly visible to third parties for a short period of time,” Veeam said in an emailed statement. “We have now ensured that all Veeam databases are secure. Veeam takes data privacy and security very seriously, and a full investigation is currently underway.”
Exposed-data incidents have hit, the and in recent months.
First published at 10:31 a.m. PT.
Update, 11:33 a.m.: Adds statement from Veeam.