Data Leak

Nextcloud Exposed: Open Database Leaked Invoices, Contracts, and Internal Files

Data Leak, Nextcloud Elasticsearch database exposure, What data was leaked in the Nextcloud incident, Nextcloud Data Leak, Elasticsearch, Elasticsearch Data Leak, Nextcloud, data exposure
Facebook
X
LinkedIn
Reddit
WhatsApp

Security researchers have discovered a publicly accessible Elasticsearch instance belonging to Nextcloud that exposed internal company data, customer contracts, and installation scripts.

According to an investigation by Cybernews, Nextcloud, the company behind the self-hosted collaboration platform, left an unsecured database exposed online for an extended period. Researchers discovered the Elasticsearch cluster on May 18. It reportedly contained around 367,000 records totaling nearly 7.9 GB of data.

Ad

Nextcloud is best known for its self-hosted collaboration platform, which customers typically deploy on their own infrastructure. The software is also a core component of Euro Office, a European productivity suite positioned as an alternative to Microsoft Office and Google Docs.

What the Database Contained

According to the researchers, PDF documents accounted for the largest share of files, with approximately 71,000 documents. The database also contained around 53,000 PNG images and nearly 23,000 Markdown files.

Among the unencrypted data were invoices issued by Nextcloud to customers as well as invoices received from suppliers. These documents exposed email addresses of Nextcloud employees along with the names and addresses of customer organizations. Contact details of individuals who had submitted invoices to Nextcloud were also included. According to Cybernews, identifiable email domains belonged to organizations including hosting providers IONOS and Strato, as well as public sector institutions, including the Ministry of Education of North Rhine-Westphalia in Germany.

Ad

In addition to invoices and contracts, researchers found:

  • Shell and Python scripts created by Nextcloud for specific customers to deploy and operate the software on their own infrastructure. Some of these scripts contained hardcoded database credentials.
  • Email messages stored in EML format, including timestamps and sender and recipient addresses.
  • Lists containing the full names and corporate email addresses of individuals who participated in beta testing and other Nextcloud programs.
  • Contracts, templates, and summaries related to customer business relationships, including details about service scope, user counts, and contractual terms.
  • Additional metadata, including HTTP headers, file-sharing lists (primarily first names of Nextcloud employees, with some external addresses), file paths, filenames, and MD5 checksums.

Nextcloud Responds

In a statement to Cybernews, Nextcloud said the exposure was caused by a misconfiguration within its own hosting infrastructure and was unrelated to the Nextcloud software itself. The company emphasized that servers operated by customers, partners, and other users were not affected.

“The issue was caused by a misconfiguration in our hosting infrastructure and is unrelated to the Nextcloud solution. No other Nextcloud servers operated by our customers, partners, or other users were affected by this issue.”

Nextcloud

According to Cybernews, the exposed Elasticsearch cluster was secured two days after researchers reported the issue and has not been publicly accessible since. Nextcloud also reported the incident to the responsible regional data protection authority.

So far, neither Nextcloud nor the Cybernews researchers have found any evidence that the exposed data was accessed or misused.

(lb)

Ad

Weitere Artikel