Led by Noam Rotem and Ran Locar, vpnMentor’s research team recently discovered a breached database, containing more than 135 million records. The database, claims vpnMentor, belongs to Cloud backup provider SOS Online Backup. 

Based in the U.S., SOS Online Backup is a secure cloud-based backup provider, offering personal and business packages to customers around the world. They have 12 data centers around the world in the US, Canada, Australia, United Kingdom, India, Ukraine, and South Africa.

The team discovered the database in November 2019, analyzed the database on December 9th, and contacted SOS Online Backup the next day. While they didn’t receive a reply from the company, the breach was closed around December 19th, 2019. 

The exposed database contained more than 135 million records, totaling almost 70GB of metadata related to user accounts on SOS Online Backup. This included structural, reference, descriptive, and administrative metadata covering many aspects of SOS Online Backup’s cloud services. Aside from metadata relating to SOS Online Backup, the database also contained personally identifiable information (PII) data of their customers. This included:

  • Full Name
  • Email address
  • Phone number
  • Internal company details (corporate customers)
  • Account usernames

Due to the size of the database, there’s potential it affected SOS Online Backup users around the world, impacting their entire user base, notes the vpnMentor team. 

By exposing so much metadata and user PII, SOS Online Backup has made itself and its customers vulnerable to a wide range of attacks and fraud, warns the research team, as this database "could have been a goldmine for cybercriminals and malicious hackers, with access to cloud storage highly sought after in the online criminal underworld."

Finally, says the research team, there is also the potential for legal action from governments and regulatory bodies within countries that SOS Online Backup operates. California, where the company is based, recently passed the California Consumer Privacy Act (CCPA). "This is just one example of new government legislation tackling consumer data privacy and breaches in data security by private companies. If SOS Online Backup was found to be leaking the data of EU citizens, they would also fall within the jurisdiction of the bloc’s GDRP rules. Each of these eventualities would further damage SOS Online Backup’s reputation, market share, and revenue," adds the research team. 

For the full report, visit vpnMentor's blog