A major data exposure discovered on October 16, 2025 revealed an unencrypted, non-password-protected database linked to Netcore Cloud that contained 40,089,928,683 records totaling ~13.41 TB of mail logs, marketing messages, account verifications, banking notifications and other transactional messages. The finding was publicly reported by cybersecurity researcher Jeremiah Fowler via Website Planet.
What the leak contained
A limited sample of files inspected by the researcher included:
Mail log records with email addresses, message subjects, sender/recipient headers and SMTP metadata.
Notifications related to banking and finance (some with partial account numbers), employment messages, and healthcare notifications.
Records explicitly labelled confidential and entries with IP addresses and other mail-delivery details that could help an attacker craft convincing phishing or spoofing campaigns.
Who appears to be affected
Information found in the dataset — including hostnames and other identifiers — points to NetcoreCloud, an India-based AI marketing and customer-engagement platform used by thousands of brands for email, app notifications, SMS, WhatsApp and more. It is not publicly known whether Netcore hosted and managed this specific database directly or if it belonged to a third-party contractor. Only an internal forensic investigation can confirm ownership and whether the data was exfiltrated or accessed prior to discovery.
Timeline and disclosure
Jeremiah Fowler reported the unsecured database to Netcore via responsible disclosure; the company restricted public access the same day the issue was reported, and acknowledged receipt of the notice. There is no public confirmation yet about how long the server was exposed or whether it was accessed by unauthorized parties prior to remediation. An internal forensic audit is required to answer those questions.
Why this exposure matters — beyond spam
At surface level, mass email lists generate more spam. But the risks are deeper and more dangerous:
Targeted phishing and spear-phishing: Real subject lines, sender headers and email metadata make spoofed messages look highly legitimate, increasing the chance of credential theft or malware infection.
Clone-phishing and account impersonation: Attackers can replicate transactional messages (bank alerts, order confirmations) to trick recipients into divulging credentials or performing fraudulent actions.
Cross-breach credential harvesting: Exposed addresses can be correlated with other breach datasets to identify high-value targets for takeover.
Business reconnaissance: Mail logs reveal relationships between companies, vendors and customers — useful intelligence for social engineering or tailored attacks.
What organizations (especially Netcore customers and similar vendors) should do now
Launch a full forensic audit. Confirm ownership, time-window of exposure, access logs and whether any downloads or queries indicate exfiltration.
Notify impacted customers and regulators as required. Follow local data-breach notification laws (e.g., India, EU, US state laws) and provide transparent guidance to clients.
Rotate credentials & revoke tokens. If transactional systems or API keys were exposed, rotate keys and reissue credentials.
Harden storage and access controls. Require authentication for storage endpoints, enable encryption at rest and in transit, apply least-privilege IAM policies, and deploy automated configuration scanning for public buckets/DBs.
Share Indicators of Compromise (IOCs). Provide customers and CERT/industry groups with IOCs to help detect potential abuse.
Offer support to affected customers. Consider credit monitoring, phishing awareness training, and technical help for remediation.
What individuals and administrators should watch for
Phishing attempts that reference real order numbers, sender addresses or subject lines. Treat any unexpected links or attachments with caution.
Unusual account recovery or password reset emails. Verify directly with the service (do not click embedded links).
Unrecognized login attempts or password-reset notifications. Enable MFA (multi-factor authentication) where available.
Cross-check email addresses against known breach notification services and change passwords if you see the address in breach reports.
Bottom line
The NetcoreCloud exposure is a reminder that misconfigured or publicly accessible data stores can turn routine marketing and transactional logs into a treasure trove for attackers. The scope — ~40 billion records and 13.4 TB — and the presence of banking and confidential metadata elevate the incident from nuisance spam to a potentially serious enterprise and consumer risk that requires immediate forensic investigation and broad notification.
Rajani Baburajan
