Unsecured DoD Server Leaked Terabytes of Internal Military Emails to Open Internet for Two Weeks

The US Department of Defense has secured an exposed server that had been leaking internal military emails to the public internet for two weeks, according to Tech Crunch.

The server was part of an internal mailbox system that stored around three terabytes of internal military emails, many of which related to the US Special Operations Command (USSOCOM), the US military unit responsible for special military operations.

The server was hosted on Microsoft’s Azure government cloud for Department of Defense customers, which uses physically separated servers to share sensitive, unclassified government data.

The exposed server was accessible to anyone on the internet without a password, via a web browser and its IP address, due to a misconfiguration that left it unprotected.

Anurag Sen, a security researcher, discovered the exposed server over the weekend and alerted TechCrunch, who then contacted the US government.

The mailbox server contained internal military emails dating back years, some of which included sensitive personnel information.

One file exposed on the server included a completed SF-86 questionnaire, which federal employees fill out when seeking a security clearance, and which includes highly sensitive personal and health information.

In 2015, Chinese hackers stole millions of similar background check files from the US Office of Personnel Management, Tech Crunch notes.

None of the data seen by TechCrunch appeared to be classified, which is consistent with USSOCOM’s civilian network, as classified networks are not accessible from the internet.

However, the personnel questionnaires contained a significant amount of background information on security clearance holders, which could be valuable to foreign adversaries.

According to Shodan, the mailbox server was first detected as spilling data on February 8, and it is not clear how the mailbox data became exposed to the public internet.

The Pentagon was alerted on Sunday, but the exposed server was only secured on Monday afternoon.

USSOCOM confirmed that an investigation is underway, stating that “no one hacked US Special Operations Command’s information systems.”