{
	"id": "b4b1865d-9acf-4e41-b488-ba4285c30ffe",
	"created_at": "2026-04-15T02:22:24.397697Z",
	"updated_at": "2026-04-18T02:20:50.83753Z",
	"deleted_at": null,
	"sha1_hash": "4ffc727a924fcacf290fc860909889b1e03bb0a5",
	"title": "Thomson Reuters collected and leaked at least 3TB of sensitive data",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 71151,
	"plain_text": "Thomson Reuters collected and leaked at least 3TB of sensitive\r\ndata\r\nPublished: 2022-10-27 · Archived: 2026-04-15 02:03:03 UTC\r\nThomson Reuters, a multinational media conglomerate, left an open database with sensitive customer and\r\ncorporate data, including third-party server passwords in plaintext format. Attackers could use the details for a\r\nsupply-chain attack.\r\nMedia giant with $6.35 billion in revenue left at least three of its databases open\r\nAt least 3TB of sensitive data exposed including Thomson Reuters plaintext passwords to third-party\r\nservers\r\nThe data company collects is a treasure trove for threat actors, likely worth millions of dollars on\r\nunderground criminal forums\r\nThe company has immediately fixed the issue, and started notifying their customers\r\nThomson Reuters downplayed the issue, saying it affects only a “small subset of Thomson Reuters Global\r\nTrade customers”\r\nThe dataset was open for several days – malicious bots are capable of discovering instances within mere\r\nhours\r\nThreat actors could use the leak for attacks, from social engineering attacks to ransomware\r\nThe Cybernews research team found that Thomson Reuters left at least three of its databases accessible for anyone\r\nto look at. One of the open instances, the 3TB public-facing ElasticSearch database, contains a trove of sensitive,\r\nup-to-date information from across the company’s platforms. The company recognized the issue and fixed it\r\nimmediately.\r\nThomson Reuters provides customers with products such as the business-to-business media tool Reuters Connect,\r\nlegal research service and database Westlaw, the tax automation system ONESOURCE, online research suite of\r\neditorial and source materials Checkpoint, and other tools.\r\nThe size of the open database the team discovered corresponds with the company using ElasticSearch, a data\r\nstorage favored by enterprises dealing with extensive, constantly updated volumes of data.\r\nThe naming of ElasticSearch indices inside the Thomson Reuters server suggests that the open instance was used\r\nas a logging server to collect vast amounts of data gathered through user-client interaction. In other words, the\r\ncompany collected and exposed thousands of gigabytes of data that Cybernews researchers believe would be\r\nworth millions of dollars on underground criminal forums because of the potential access it could give to other\r\nsystems.\r\nMeanwhile, Thomson Reuters claims that out of three misconfigured servers the team informed the company\r\nabout, two were designed to be publicly accessible. The third server was a non-production server meant for\r\n“application logs from the pre-production/implementation environment.”\r\nhttps://cybernews.com/security/thomson-reuters-leaked-terabytes-sensitive-data/\r\nPage 1 of 6\n\nThe leaked data\r\nTime stamps on data samples reviewed by the team indicate that the information was logged recently, with some\r\npieces of data as recent as October 26. According to the researchers, the logs in the open database contain\r\nsensitive information and could lead to supply-chain attacks if accessed by threat actors.\r\nFor example, the open dataset held access credentials to third-party servers. The details were held in plaintext\r\nformat, visible to anyone crawling through the open instance. According to Mantas Sasnauskas, the Head of\r\nSecurity Research at Cybernews, this type of information would allow threat actors to gain an initial foothold in\r\nthe systems used by companies working with Thomson Reuters.\r\n“ElasticSearch is a very common and widely used data storage and is prone to misconfigurations, which makes it\r\naccessible to anyone. This instance left sensitive data open and was already indexed via popular IoT [internet of\r\nthings] search engines. This provides a large attack surface for malicious actors to exploit not only internal\r\nsystems but a way for supply chain attacks to get through. A simple human error can lead to devastating attacks,\r\nfrom data exfiltration to ransomware,” Sasnauskas said.\r\nhttps://cybernews.com/security/thomson-reuters-leaked-terabytes-sensitive-data/\r\nPage 2 of 6\n\nThomson Reuters data leak\r\nExamples of passwords/credentials to a third party server (top) and connection string logs (below)\r\non the database. Image by Cybernews.\r\nThe team also found the open instance to contain login and password reset logs. While these don’t expose either\r\nold or new passwords, the logs show the account holder’s email address, and the exact time the password change\r\nquery was sent can be seen.\r\nAnother piece of sensitive information includes SQL (structured query language) logs that show what information\r\nThomson Reuters clients were looking for. The records also include what information the query brought back.\r\nThat includes documents with corporate and legal information about specific businesses or individuals. For\r\ninstance, an employee of a company based in the US was looking for information about an organization in Russia\r\nusing Thomson Reuters services, only to find out that its board members were under US sanctions over their role\r\nin the invasion of Ukraine.\r\nThe team has also discovered that the open database included an internal screening of other platforms such as\r\nYouTube, Thomson Reuters clients’ access logs, and connection strings to other databases. The exposure of\r\nconnection strings is particularly dangerous because the company’s internal network elements are exposed,\r\nenabling threat actors’ lateral movement and pivoting through Reuter Thomson’s internal systems.\r\nThere is a high chance the open instance included much more sensitive data since the database holds more than\r\n6.9 million unique logs that take up over 3TB of server disk. The team claims that it is impossible to know the full\r\nextent of how big the dataset actually is without crossing the ethical boundaries within which researchers operate.\r\n“This instance left sensitive data open and was already indexed via popular IoT search engines. This\r\nprovides a large attack surface for malicious actors to exploit not only internal systems but a way for\r\nsupply chain attacks to get through,”\r\nSasnauskas said.\r\nThe company’s investigation\r\nThe team contacted Thomson Reuters upon discovering the leaking database, and the company took down the\r\nopen instance immediately.\r\n“Upon notification we immediately investigated the findings provided by Cybernews regarding the three\r\npotentially misconfigured servers,” a Thomson Reuters representative told Cybernews.\r\nAccording to the company, two of the servers were designed to be publicly accessible, while the third is a non-production server related to one of Thomson Reuters products, ONESOURCE Global Trade Product. The tool\r\nallows users to “manage export/import, sanctions screening, and other trade controls activities and related filings.”\r\n“This non-production server only houses application logs from the pre-production/implementation environment of\r\nthat product and is only associated with a small subset of Thomson Reuters Global Trade customers,” the\r\ncompany explained.\r\nhttps://cybernews.com/security/thomson-reuters-leaked-terabytes-sensitive-data/\r\nPage 3 of 6\n\nNon-production servers usually don’t hold application data. However, that does not mean that the details stored\r\nthere are less sensitive.\r\n“The open instance resembles a development server which can consist of an entire infrastructure and usually holds\r\nmore sensitive client activity and data,” Sasnauskas said.\r\nThomson Reuters leak\r\nThomson Reuters says that the now-closed server only captures data generated through user actions within the\r\npre-production and implementation environment.\r\n“The server contains the information needed to operationally support the platform,” the company's representative\r\nexplained.\r\nHowever, it’s hard to tell whether all details stored on the instance were necessary to support the platform’s\r\noperations. Either way, even if all of the data was essential, that doesn’t make it less sensitive if leaked.\r\n“Information stored on the server is extremely sensitive. Cases like these raise questions about corporate data\r\ncollection practices. The ramifications of a data leak of such scale are worrying to say the least,” Sasnauskas\r\nexplained.\r\nThe company launched an investigation to get the root of the problem. The leading theory so far is that an\r\n“isolated error in the product environment resulted in the inadvertent misconfiguration of the non-production\r\nenvironment.”\r\nThomson Reuters said it had begun notifying affected customers.\r\nSignificant impact\r\nResearchers believe that any loss of information on the dataset could not only harm Thomson Reuters and its\r\nclients but also be detrimental to the public interest.\r\nFor example, the open database was leaking some individuals’ and organizations’ sensitive screening and\r\ncompliance data. Accessible data from the public-facing Thomson Reuters database could have tipped off entities\r\nthat would like their wrongdoing kept in the dark.\r\nAccording to Martynas Vareikis, Information Security Researcher at Cybernews, threat actors could use the email\r\naddresses exposed in the dataset to carry out phishing attacks. Attackers could impersonate Thomson Reuters and\r\nsend the company’s customers fake invoices.\r\n“Information stored on the server is extremely sensitive. Cases like these raise questions about\r\ncorporate data collection practices. The ramifications of a data leak of such scale are worrying to say\r\nthe least,”\r\nSasnauskas explained.\r\nhttps://cybernews.com/security/thomson-reuters-leaked-terabytes-sensitive-data/\r\nPage 4 of 6\n\n“Having more details always helps malicious actors. Knowing the victims are Thomson Reuters clients allows for\r\na targeted campaign. That’s especially true if Thomson Reuters clients used a non-public business email address to\r\nregister with the company. Invoices infected with malware could cause huge losses for the clients if they were\r\nattacked by ransomware gangs,” Vareikis explained.\r\nAccording to Sasnauskas there are numerous ways attackers could use the leaked details to harm the company\r\nitself. He claims that access to log files and the instance could enable malicious actors to leak sensitive\r\ninformation, extort the business, and gain knowledge about the internal networks, systems, and services in use.\r\n“Attackers could pivot and move laterally in systems, and cause a plethora of malicious actions such as sell access\r\nto brokers or ransomware affiliates and launch sophisticated attacks, possibly including ransomware,” Sasnauskas\r\nsaid.\r\nWhy did it happen?\r\nA thorough inspection of the SSL (secure sockets layer) certificate of the accessible web server, DNS (domain\r\nname system) data, and information on the ElasticSearch instance itself allowed the team to confirm that the open\r\ndatabase belongs to the Thomson Reuters Corporation. The server had been left accessible since October 21.\r\nIoT search engines did not show any results for the Thomson Reuters instance before that day. Since the web\r\nspace is filled with bots and scripts hunting for open databases, it is doubtful the database was accessible to the\r\npublic before.\r\nAccording to Vareikis, the likeliest cause for the dataset to suddenly appear online is a misconfiguration error.\r\n“We believe that it was caused by a misconfiguration on the AWS Elastic Load Balancing service, which followed\r\ndifferent rules that weren’t configured to fully cover access control rules, which led to the service being exposed\r\nto the public,” Vareikis explained.\r\nExposed in the past?\r\nThomson Reuters security principles laid down in a whitepaper published last year claim the company’s secure\r\nconfiguration is created and deployed according to best practices.\r\nHowever, digging through historical data from IoT search engines, researchers discovered that some of Thomson\r\nReuters’ configuration and system environment files were exposed last year. Some of the files that appear on IoT\r\nsearch engines are still exposed to this day.\r\n“This non-production server only houses application logs from the pre-production/implementation\r\nenvironment of that product and is only associated with a small subset of Thomson Reuters Global\r\nTrade customers,”\r\nthe company explained.\r\nThe company’s security principles also say that it performs automated and centralized logging to provide real-time\r\nalerting. However, the open dataset was accessible to the public for several days.\r\nhttps://cybernews.com/security/thomson-reuters-leaked-terabytes-sensitive-data/\r\nPage 5 of 6\n\n“It takes less than a few hours for an open server to be crawling with bots. Meanwhile, the data shows that the\r\ninstance was open for more than three straight days. It begs the question of whether real-time alerting is necessary\r\nif there is no one to review the alerts,” Vareikis said.\r\nAvoid at all cost\r\nTo deflect the impact that a lack of oversight might cause, it is highly recommended to avoid logging personally\r\nidentifiable information (PII), such as corporate emails, in the same dataset with queries and other interactions.\r\nDue to the sensitive nature of the requests that businesses might be using investigative tools for, exposing\r\ncorporate inquiries may threaten to reveal company secrets, causing severe financial damage if made public.\r\n“Even though the company encrypted communication with the server in SSL format, all security measures would\r\nfail with an introduction of a simple human error. There should always be measures mitigating these risks so that\r\ndata does not get into malicious hands. Security practices, we see here, were not what you’d expect from a\r\nbusiness as big as Thomson Reuters,” Sasnauskas said.\r\nCompanies should also avoid storing passwords in plaintext format. Even if databases are not public-facing, there\r\nare dangers of exposure. Credential theft and privilege-escalation attacks could allow malign actors to penetrate\r\ncorporate databases, leaving passwords in plaintext format immediately exposed.\r\n“Plaintext passwords to third-party servers stored in the open database should have been hashed with strong\r\nalgorithms. That’s because even a strong password is obsolete once a database where it’s stored in plaintext is\r\nexposed,” Sasnauskas explained.\r\nSource: https://cybernews.com/security/thomson-reuters-leaked-terabytes-sensitive-data/\r\nhttps://cybernews.com/security/thomson-reuters-leaked-terabytes-sensitive-data/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://cybernews.com/security/thomson-reuters-leaked-terabytes-sensitive-data/"
	],
	"report_names": [
		"thomson-reuters-leaked-terabytes-sensitive-data"
	],
	"threat_actors": [],
	"ts_created_at": 1776219744,
	"ts_updated_at": 1776478850,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4ffc727a924fcacf290fc860909889b1e03bb0a5.pdf",
		"text": "https://archive.orkl.eu/4ffc727a924fcacf290fc860909889b1e03bb0a5.txt",
		"img": "https://archive.orkl.eu/4ffc727a924fcacf290fc860909889b1e03bb0a5.jpg"
	}
}