Misconfigured installations of enterprise technologies have caused more than a petabyte of data to be exposed online, according to a new report from BinaryEdge.

The Switzerland-based security engineering firm probed four popular enterprise technologies in its study, namely Redis, MongoDB, Memcache, and Elasticsearch, and found that configuration problems had led to numerous glaring weaknesses in all of them.

For example, it found that 35,330 instances of Redis cache and store archives were accesible without any authentication required. It was even worse for NoSQL database MongoDB, where more than 39,000 databases were found to be exposed. Meanwhile a staggering 118,000 Memcache instances were similarly exposed, while more than 8,000 Elasticsearch servers also responded to BinaryEdge’s probes.

In total, the Swiss firm found some 1,175 terabytes of data (1.17 petabytes) could be easily accessed online without any authentication required.

BinaryEdge noted that many organizations were running older versions of the software it scanned, and warned that in some cases even servers could be exposed. “Companies are still figuring out how to use these technologies and by default they are not secure,” the security firm stated in a blog post.

According to The Register, which spoke to BinaryEdge’s CEO Tiago Henriques, the problem in almost all cases was one of misconfiguration that led to data being exposed on the Internet, rather than flaws in the software itself. Many problems were due to firewalls and other security technologies being improperly deployed, which means the systems were wide open to anyone wishing to probe them.

Henriques explained to The Register that, although his team didn’t actually look at any of the data exposed, it did perform analysis on database and key names. This analysis revealed that the data exposed was in many cases what companies would consider to be critical data.

“There are also a lot of usernames and passwords and also session tokens which could be used to take over active sessions,” Henriques told The Register. “We also have databases from pharmaceutical companies, hospitals which are named ‘patient’ and ‘doctor-list’ and to finish we have banks as well, with databases named ‘coin’ and ‘money’”.

BinaryEdge said in its blog post said its intention was to warn companies whenever it found their data might be at risk, before offering them a commercial service that will help them identify and close open technologies in their networks.

Photo Credit: altemark via Compfight cc