HomeIntelligenceBrief
BREACH BRIEF🟠 High Breach

Massive Exposure of 150M+ Email Addresses via Misconfigured Serverless Query Service

A misconfigured serverless function now lets anyone query a database of over 150 million email addresses, exposing personal data and raising supply‑chain risk for SaaS vendors that rely on the service.

LiveThreat™ Intelligence · 📅 March 17, 2026· 📰 troyhunt.com
🟠
Severity
High
BR
Type
Breach
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
3 recommended
📰
Source
troyhunt.com

Massive Exposure of 150M+ Email Addresses via Misconfigured Serverless Query Service

What Happened — Troy Hunt reported that a publicly accessible serverless function now allows unrestricted queries against a database containing over 150 million email addresses. The service, originally a simple lookup site, has evolved to include edge‑code and new storage constructs that inadvertently expose the full dataset.

Why It Matters for TPRM — • Uncontrolled data exposure can compromise downstream partners that share or ingest email lists. • Misconfigurations in third‑party cloud services illustrate supply‑chain risk for SaaS vendors. • Large‑scale personal data leaks increase regulatory and reputational exposure for any organization that relies on the affected API.

Who Is Affected — SaaS platforms, marketing automation tools, CRM providers, and any organization that integrates with the exposed email‑lookup API.

Recommended Actions — Review contracts and data‑flow diagrams for any reliance on the exposed service, validate that vendor controls include secure configuration management, and consider alternative vetted data‑verification providers.

Technical Notes — Attack vector: cloud‑function misconfiguration leading to unrestricted read access. No CVE disclosed. Exposed data: email addresses, timestamps, and breach‑association metadata. Source: Troy Hunt Weekly Update 495

📰 Original Source
https://www.troyhunt.com/weekly-update-495/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · PrivacyOps · CookiePLUS

Data exposure is where consent and DSAR readiness get tested.

When personal data leaks, regulators ask what consent you held and how fast you can answer a subject request. The Verisq AI Trust Operations platform, with CookiePLUS, keeps that posture audit-ready under GDPR and CCPA.

Explore the Verisq AI Trust Operations platform →