Pierluigi Paganini October 31, 2025

A massive 4TB SQL Server backup file belonging to global accounting giant Ernst & Young (EY) was discovered publicly accessible on Microsoft Azure.

Cybersecurity firm Neo Security discovered a 4TB SQL Server backup belonging to accounting giant Ernst & Young (EY) publicly accessible on Microsoft Azure during a routine scan.

Neo Security’s lead researcher identified a 4TB publicly exposed file during passive network analysis. The file’s .BAK extension indicated a full SQL Server database backup, likely containing sensitive data such as schemas, user information, API keys, credentials, and authentication tokens.

“Neo Security’s lead researcher discovered the file while examining passive network traffic with low-level tools. A simple HEAD request designed to retrieve metadata without downloading content revealed a massive size: 4 terabytes of data, which is equivalent to millions of documents or the contents of an entire library.” reported Cybersecurity News.

Initial Azure Blob searches revealed no owner, but merger documents and a DNS SOA lookup linked the 4TB SQL Server backup to EY. Neo Security verified it was unencrypted by downloading just 1,000 bytes, confirming real risk based on past fintech breaches from brief .BAK exposures.

“Trying to confirm ownership can be hard. He started digging. Company name searches led to business merger documents. In a south-central European language. He fed them through DeepL. The translation revealed the company was acquired in 2020 by a larger entity, but the parent company name wasn’t immediately obvious.” reads the report published by Neo Security. “Then he ran an SOA record lookup. A “Start of Authority” DNS query, basically asking the internet’s phonebook “who’s really in charge of this domain?” The response came back pointing to an authoritative DNS server: ey.com.”

“This wasn’t some startup. This was Ernst & Young.” adds the report.

In a past incident, attackers exploited brief cloud exposure to steal PII and credentials. Neo Security responsibly disclosed EY’s 4TB backup, contacting EY’s CSIRT after 15 failed attempts.

EY quickly remediated the issue, confirming no client or confidential data was affected. Experts stress that automated scanning makes exposures inevitable, highlighting the need for continuous cloud visibility and leak detection tools.

Given modern automated scanning tools, the exposure meant that countless actors could have discovered it, so the concern wasn’t “if” someone found it, but “how many.”

The incident highlights two critical points:

• Even a resource-rich organization like EY can accidentally leave massive, sensitive data exposed due to the complexity and speed of modern cloud environments.
• In the era of automated scanning and botnets, exposures are extremely high-risk—continuous, automated monitoring and attack surface management are essential to detect and remediate leaks before malicious actors exploit them.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Ernst & Young)