In a glaring reminder of the risks posed by unsecured databases, cybersecurity researcher Jeremiah Fowler has revealed that Builder.ai, a London-based AI-driven development platform, exposed over 1.2 terabytes of sensitive data. The database, containing over 3 million records, remained publicly accessible without a password or encryption for nearly a month after disclosure, leaving a trove of customer and internal information vulnerable to potential exploitation.
What Was Exposed?
The unprotected database included a wide range of sensitive documents, such as customer cost proposals, invoices, tax files, and non-disclosure agreements (NDAs). Of particular concern were access keys and configuration details for two separate cloud storage databases, which could have granted malicious actors access to even more sensitive data.
“Storing administrative credentials and access keys in plain text within the same database creates a critical vulnerability,” Fowler warned. “These keys should never be stored where they can be identified and exploited.”
The database contained over 337,000 invoices and nearly 33,000 files labeled as master service agreements, which detailed project costs, customer identities, and sensitive emails. Many records referenced Engineer.ai, the company’s former name before rebranding in 2019. The breach sheds light on the risks faced by Builder.ai’s extensive client base, spanning businesses, schools, and organizations relying on its human-assisted AI solutions to develop applications.
Delayed Response Raises Concerns
Despite Fowler’s immediate disclosure, Builder.ai failed to secure the database promptly. In a follow-up email, the company cited "complexities with dependent systems" as the reason for the delay. This highlights the dangers of system dependencies, which Fowler notes can “seriously delay incident response and remediation processes, potentially exacerbating risks.”
Risks of Exposed Data
The consequences of such an exposure are multifaceted. Beyond targeted phishing attempts and invoice fraud, there is the risk of malicious actors impersonating vendors or customers to exploit payment processes.
“When criminals have access to sensitive details like customer contracts or billing records, they can create convincing fraudulent invoices,” Fowler explained. “All it takes is one successful attempt to cause significant financial loss.”
Other risks include potential ransomware attacks or data exfiltration if malicious actors gained access to the exposed cloud storage keys.
Lessons Learned and Recommendations
Fowler’s findings serve as a cautionary tale for organizations across industries. He underscores the importance of proactive security measures to safeguard sensitive data:
Access Controls: Implement multi-factor authentication to prevent unauthorized access.
Data Encryption: Protect sensitive data at rest and in transit to minimize risks if exposed.
Incident Response Planning: Ensure a clear plan is in place to address vulnerabilities promptly.
Regular Security Audits: Conduct vulnerability scans, penetration tests, and audits of internal systems and third-party vendors.
“Organizations must prepare for when a data incident happens, not if it will happen,” Fowler stressed.
Builder.ai’s Response
The company’s response has been limited, and it remains unclear whether the exposed database was managed in-house or by a third-party contractor. Additionally, there is no confirmation of how long the database was publicly accessible before its discovery or whether any unauthorized access occurred during that time.
A Wake-Up Call for the Industry
Builder.ai, which raised over $450 million in funding and ranked highly on Fast Company’s “Most Innovative Companies” list, now faces a reputational challenge. This incident underscores the critical need for businesses to invest in robust cybersecurity protocols, especially as reliance on complex AI-driven systems increases.
While Fowler’s ethical research avoided direct exploitation, his findings highlight the real-world risks posed by unsecured databases. For organizations like Builder.ai, it’s a stark reminder of the cost of complacency in an increasingly digital world.