Misconfigured government mail server spilled sensitive military data for weeks

What just happened? A misconfigured mailbox server used by the US government for military e-mails has been secured after being open to the Internet for the past couple of weeks. The exposed server was discovered by good-faith security researcher Anurag Sen, who alerted TechCrunch so they could pass along the notice to government officials. According to the publication, the exposed server was hosted on Microsoft's Azure government cloud for Department of Defense personnel.

Such servers are reportedly stored separately from machines used by other commercial clients. In this instance, the mailbox contained around three terabytes of internal military e-mails featuring data that is sensitive but not classified.

One e-mail seen by TechCrunch included a completed SF-86 questionnaire, a form used by those seeking to obtain or retain a security clearance in order to access classified information. These types of questionnaires are full of sensitive information and are highly desirable to foreign adversaries.

In 2015, hackers broke into the US government's Office of Personnel Management (OPM) and were able to access sensitive information on nearly four million current and former federal employees. At the time, it was described as one of the largest thefts of government data ever seen.

TechCrunch notes that government networks responsible for handling classified information are not accessible from the Internet.

Data from Shodan suggests the server started leaking information on February 8. It is unclear if anyone else besides the security researcher accessed the mailbox, which was accessible using only a web browser and knowing the server's IP address. TechCrunch believes human error is to blame for the exposure.

TechCrunch contacted the US Special Operations Command, or USSOCOM, on Sunday regarding the exposed server (USSOCOM is responsible for overseeing special operations by the Army, Navy, Marine Corps and Air Force). On Tuesday (Monday was a holiday in the US), USSOCOM spokesperson Ken McGraw said an investigation was under way and confirmed that nobody had hacked their system. The exposed server has since been secured.

Image credit: Maksim Goncharenok, Amol Tyagi