Misconfigured servers and unsecured online databases have been coming back to bite companies.

Recently, Cyber Talk reported that spyware company Spyfone exposed the information of thousands by leaving sensitive data online in an unsecured Amazon s3 bucket. Now think of that, but on a massive scale: Researchers found that more than 440 million records were left online in a publicly searchable MongoDB server, without even password protection. Worse: It belonged to Veeam, a disaster-recovery firm. Oh, the irony.

The open server contained a 200 GB database, says Threatpost. The database, which housed marketing data, housed information such as customers’ first and last names, email addresses, and customer organization size. Records in the cache were timestamped from 2013-2017. A Veeam spokesperson said that the records are “non-sensitive.”

It’s fortunate that the exposed data is “non-sensitive” – no financial information or social security numbers were exposed like we’ve seen in some leaks – but a wide-open database like this can still make it easy for cybercriminals to find email targets for spearphishing and other attacks.

Get the full story at Threatpost.