Massive Exposure of 150M+ Email Addresses via Misconfigured Serverless Query Service
What Happened — Troy Hunt reported that a publicly accessible serverless function now allows unrestricted queries against a database containing over 150 million email addresses. The service, originally a simple lookup site, has evolved to include edge‑code and new storage constructs that inadvertently expose the full dataset.
Why It Matters for TPRM — • Uncontrolled data exposure can compromise downstream partners that share or ingest email lists. • Misconfigurations in third‑party cloud services illustrate supply‑chain risk for SaaS vendors. • Large‑scale personal data leaks increase regulatory and reputational exposure for any organization that relies on the affected API.
Who Is Affected — SaaS platforms, marketing automation tools, CRM providers, and any organization that integrates with the exposed email‑lookup API.
Recommended Actions — Review contracts and data‑flow diagrams for any reliance on the exposed service, validate that vendor controls include secure configuration management, and consider alternative vetted data‑verification providers.
Technical Notes — Attack vector: cloud‑function misconfiguration leading to unrestricted read access. No CVE disclosed. Exposed data: email addresses, timestamps, and breach‑association metadata. Source: Troy Hunt Weekly Update 495