Author: Katie Paxton-Fear
While many vulnerabilities are highly technical, complex, and mindblowing, sensitive data exposure is comparatively much more, well… boring. But sensitive data exposure vulnerabilities can be truly cringe-inducing, embarrassing, and they give a “how did I not know about this” energy, with actually quite serious consequences. From leaking credit card numbers online, to API keys and developer tokens being leaked in GitHub repositories, this vulnerability is a bit mortifying. It’s more than enabling best-practices; even regulatory compliance compels organizations to take steps to secure sensitive data so it never ends up in a data breach scandal. So while sensitive data exposure vulnerabilities are perhaps seen as a little boring and the result of simple errors, these aren’t bugs to ignore, forget, and delay.
The insidious nature of sensitive data exposure is that it’s often a silent killer. Attackers can end up “living rent-free” inside your systems, as data is stolen over years before ever being noticed. While you think everything is fine, attackers are having a field day, stealing intellectual property, personal identifiable information about your customers or employees, or setting up for much longer and much larger attacks. Oftentimes, attackers don’t stop at breaching systems—they’ll extort systems or people, dumping it publicly when the victim refuses to pay. This turns a data breach into a reputational crisis that can take years to recover from, and that doesn’t even include the potential non-compliance fines.
This is the cost of complacency: It’s not enough to just tick a compliance box. The financial and operational impacts of sensitive data exposure have reached staggering proportions, and recent incidents demonstrate how even industry giants with substantial security budgets can fall victim to seemingly basic oversights.
Threat actors often target sensitive data to use in larger attacks down the road. Take the Snowflake breaches that unfolded in 2024. When Snowflake customers imported sensitive data without multi-factor authentication enabled, threat group UNC5537 (linked to the notorious Scattered Spider) were able to log in with stolen credentials purchased from infostealer malware campaigns. This wasn’t a sophisticated zero-day exploit—it was data that was willingly input by organizations into the Snowflake platform, stolen credentials, and a lack of two-factor-authentication.
Snowflake isn’t alone in this situation. In 2022, AT&T disclosed call and text records for nearly all of its cellular customers, where approximately 109 million accounts were compromised between May and October. The stolen data included phone numbers, call counts, and cell site identification numbers that could potentially reveal location information. Perhaps you remember Ticketmaster’s parent company, Live Nation? They revealed that attackers accessed the personal information of 560 million customers globally, including names, addresses, phone numbers, and partial credit card details. Or what about Santander Bank? They reported that data from customers and employees across Chile, Spain, and Uruguay was compromised, affecting approximately 30 million individuals. As you can see, sensitive data exposure vulnerabilities can impact anyone.
Another particularly insidious attack was done by a group called Ransomed VC against Salesforce. What made the Ransomed VC situation particularly painful wasn’t just the breach itself, but the extortion that followed. Taking inspiration from “the double ransom,” it’s not enough to encrypt (or steal, in this case) data, but now attackers also demand a ransom for return of the data, or else they’ll release it to the public. The threat actors, operating under names like ShinyHunters, didn’t just steal the data—they held auctions on criminal forums, demanding ransoms ranging from $300,000 to $5 million per victim organization. When companies refused to pay, the data was dumped publicly, turning a security incident into a full-blown crisis involving regulatory scrutiny, class-action lawsuits, and irreparable reputational damage.
Meta’s €265 million fine from the Irish Data Protection Commission in November 2022 serves as a stark reminder that regulatory bodies are no longer treating data exposure as a minor infraction. The issue stemmed from a vulnerability that existed between May 2018 and September 2019, where the phone numbers and emails of millions of Facebook users’ were scraped and subsequently posted on hacking forums. The technical issue was deceptively simple: Meta failed to implement adequate rate limiting and anti-scraping measures on certain APIs and features like the contact importer tool. Attackers exploited this by using automated scripts to match phone numbers with Facebook profiles at scale.
By the time the breach was discovered, data from approximately 533 million users across 106 countries had been compiled into a massive database that continues to circulate in criminal circles today. The fine represented not just the immediate breach, but Meta’s failure to properly assess and mitigate risks of user data. This was a lesson on how data exposure vulnerabilities can compound into massive regulatory penalties.
The 2023 MOVEit Transfer vulnerability (CVE-2023-34362) demonstrated how a single point of failure in widely-used software can cascade into a global catastrophe. The Clop ransomware group exploited a SQL injection vulnerability in the MOVEit Transfer application, a managed file transfer solution used by thousands of organizations to securely share sensitive files.
The list of victims reads like a who’s who of global enterprises and government agencies. The U.S. Department of Energy confirmed that records for thousands of employees were compromised. British Airways disclosed that personal information of its employees was accessed. The BBC, Boots pharmacy chain, and even multiple U.S. state governments including Louisiana, Oregon, and Maine reported breaches. By some estimates, over 2,000 organizations and 62 million individuals were ultimately affected.
What made MOVEit particularly devastating was the trusted position these file transfer systems occupy in organizational workflows. They’re specifically designed to handle the most sensitive data—financial records, health information, employee data, and intellectual property. When Clop compromised these systems, they didn’t need to hunt for valuable data; organizations had already conveniently centralized it for them. The gang’s extortion demands reportedly ranged from hundreds of thousands to tens of millions of dollars, with many victims facing the impossible choice between paying criminals or seeing their most sensitive data published online.
The December 2022 Slack breach offers a masterclass in how modern development practices can create unexpected exposure risks. When attackers compromised a third-party vendor’s system, they obtained employee tokens that provided access to Slack’s internal GitHub repositories. While Slack emphasized that their primary codebase remained secure, the incident revealed how even “non-production” repositories can contain sensitive information.
The attackers accessed repositories containing internal tools, configuration files, and automation scripts. While this might seem less critical than customer data or production code, such repositories often contain API keys, internal documentation about security measures, architectural diagrams, and other information that provides a roadmap for future attacks. For organizations embracing DevOps and infrastructure-as-code, this incident highlighted how developer environments have become high-value targets that require the same security rigor as production systems
These incidents share common threads that every CISO and security leader should recognize. First, none required particularly sophisticated attack techniques. They exploited basic oversights in configuration, access control, and third-party risk management. Second, the blast radius of each incident extended far beyond the initial vulnerability, affecting customers, partners, and supply chains. Third, the aftermath involved not just technical remediation but regulatory investigations, legal battles, and long-term reputational damage that can affect stock prices and customer trust for years.
The lesson is clear: sensitive data exposure might be “boring” compared to exotic zero-days or nation-state APTs, but it’s the fundamental vulnerabilities that continue to drive the majority of significant breaches. They’re the unlocked doors and open windows that attackers check first, and unfortunately, they’re finding them open all too often.
Learn from the mistakes of others. This means moving beyond compliance-driven security to truly understanding where sensitive data lives, how it moves through your systems, and what controls actually protect it in practice, not just on paper. It means questioning assumptions about “low-risk” systems and recognizing that in our interconnected world, every system that touches sensitive data is a potential critical vulnerability waiting to be exploited.
Oh and paying us hackers lots of bounties for finding them 😉