Builder.ai’s 1.29 TB Database Left Unsecured for Over a Month

In a troubling revelation, Builder.ai, a London-based technology company specializing in human-assisted AI for building applications, inadvertently left a massive database publicly accessible without password protection or encryption. The database, containing over 3 million records and totaling 1.29 terabytes, included sensitive customer and corporate information.
Scope of the Exposure

A sampling of the exposed data revealed customer cost proposals, NDA agreements, invoices, tax documents, email correspondence screenshots, internal image files, and configuration details of cloud storage databases. Alarmingly, two documents contained access and configuration details for separate cloud storage databases, including secret access keys. While no attempts were made to use these keys, their exposure could have enabled malicious actors to access additional sensitive data.

Specific breakdowns of the builder.ai data breach include:

337,434 invoices (totaling 18 GB).
32,810 master service agreements (4 GB), which included NDAs revealing names, emails, IP addresses, project cost summaries, and other project details.

The database‘s name and document contents identified Builder.ai, previously known as Engineer.ai before a 2019 rebranding, as the source. The company has a global presence with offices in the US, Asia, Europe, and the Middle East.

Timeline of Disclosure

The database was first discovered on October 28, and a responsible disclosure notice was promptly sent. Despite the warning, the database remained accessible until November 27, nearly a month later. In a follow-up inquiry, Builder.ai acknowledged the issue but attributed the delay to “complexities with dependent systems.”

It remains unclear whether the database was managed directly by Builder.ai or a third-party contractor. Furthermore, the duration of the exposure before its discovery and whether any unauthorized access occurred is unknown. Only a detailed forensic audit can determine the extent of potential breaches.
Ethical Concerns and Potential Impact

This incident highlights significant vulnerabilities in data management and the potential risks posed by unsecured databases. The availability of access keys and sensitive corporate documents underscores the importance of robust cybersecurity practices.

This exposure raises critical questions about the responsibility and security protocols of companies managing sensitive information in an increasingly digital and interconnected world.