A Nextcloud data leak exposed around 367,000 internal records after a hosting misconfiguration left an Elasticsearch database publicly accessible. The leaked data included invoices, contracts, employee information, emails, and infrastructure scripts.
Researchers discovered the exposed database on May 18. Nextcloud secured it two days after receiving a responsible disclosure report. The company says the incident did not affect customer-hosted servers and found no evidence that attackers accessed the data.
Hosting Misconfiguration Left Database Exposed
The exposed Elasticsearch cluster contained nearly 8GB of internal Nextcloud data.
Nextcloud uses self-hosted cloud software that allows organizations to store files on their own infrastructure instead of relying on public cloud providers. However, the exposed database belonged to Nextcloud’s own hosting environment rather than customer installations.
According to the company, a hosting infrastructure misconfiguration caused the exposure. It stressed that the issue was unrelated to the Nextcloud platform itself.
Nextcloud also reported the incident to the relevant state data protection authority after completing its investigation.
Thousands of Sensitive Files Were Exposed
Researchers found a wide range of internal documents inside the database.
The exposed files included invoices, contracts, email messages, and employee information. They also found shell and Python scripts that customers use to deploy and manage Nextcloud environments.
Some of those scripts contained hardcoded database credentials. Researchers also discovered unencrypted email content, work email addresses, file-sharing information, document metadata, and MD5 file hashes.
Several records revealed information about client organizations, including business agreements, project details, and the scope of customer deployments.
Client and Employee Data Appeared in the Leak
The exposed invoices revealed employee email addresses, customer names, business addresses, and contact information.
Researchers also identified email domains belonging to major hosting providers, including IONOS and STRATO. Some records referenced German public sector organizations, including the Ministry of Schools and Education of North Rhine-Westphalia.
In addition, the database contained lists of users who signed up for beta features and other Nextcloud integrations. Those records exposed full names and corporate email addresses.
Nextcloud Says Customer Servers Remained Secure
Nextcloud says the incident only affected its internal hosting infrastructure.
The company stated that attackers did not reach customer servers, partner environments, or other user installations. It also said its investigation found no evidence that anyone exploited the exposed database before the company secured it.
Although researchers found no signs of unauthorized access, they warned that internet-wide scanning bots routinely search for exposed databases. That means other parties could have discovered the data before the issue was resolved.
Researchers Warn of Phishing and Security Risks
The Nextcloud data leak could increase the risk of targeted phishing attacks against both employees and customers.
Attackers could use exposed invoices, contracts, and email addresses to create convincing phishing campaigns by impersonating trusted contacts. The leaked deployment scripts could also help attackers identify weaknesses in customer environments, making future attacks more effective.
The incident highlights how a single infrastructure misconfiguration can expose large volumes of sensitive business data, even when customer systems remain unaffected.


0 responses to “Nextcloud Data Leak Exposes 367,000 Internal Records After Hosting Error”