Sensitive military emails spilled online for the past two weeks due to a government cloud email server being connected to the internet without a password.
For two weeks, an exposed server leaked internal U.S. military emails to the open internet.
The Department of Defense has now secured the server, which was hosted on Microsoft’s Azure government cloud for Department of Defense customers.
That cloud uses servers that are physically separated from other commercial customers. Therefore, it can be used to share sensitive but unclassified government data.
The server was packed with internal military email messages, dating back years, some of which contained sensitive personnel information.
Many of the internal military emails pertained to U.S. Special Operations Command, the military unit tasked with conducting special military operations.
A USSOCOM spokesperson said that an investigation is underway and that the specialized military unit can confirm that no one hacked their information systems.
The server was part of an internal mailbox system that stored three terabytes of military emails.
A misconfiguration left the server without a password. |It is not clear how it became exposed to the public internet, but experts say it is likely due to a misconfiguration caused by human error.
It means that anyone on the internet could have access to the sensitive mailbox data using only their web browser if they knew the IP address.
The exposed server was found by a good-faith security researcher, Anurag Sen, who is known for discovering sensitive data that has been inadvertently published online.
One of the exposed files included a completed SF-86 questionnaire, which is filled out by federal employees seeking a security clearance and contains highly sensitive personal and health information for vetting individuals before they are cleared to handle classified information.
These personnel questionnaires contain a significant amount of background information on security clearance holders valuable to foreign adversaries.