An unprotected MongoDB database exposing over 4 billion records, revealing 16 terabytes of professional and corporate intelligence data, has been discovered by researchers at the Cybernews research team and SecurityDiscovery.com.
The database exposed detailed LinkedIn-derived profiles, contact information, corporate relationships, and employment histories, alongside other personal information.
There were nine collections within the dataset, with each file name indicating the type of information contained within:
- intent – 2,054,410,607 docs (604.76 GB)
- profiles – 1,135,462,992 docs (5.85 TB)
- unique_profiles – 732,412,172 docs (5.63 TB)
- people – 169,061,357 docs (3.95 TB)
- sitemap – 163,765,524 docs (20.22 GB)
- companies – 17,302,088 docs (72.9 GB)
- company_sitemap – 17,301,617 docs (3.76 GB)
- address_cache – 8,126,667 docs (26.78 GB)
- intent_archive – 2,073,723 docs (620 MB)
The researchers said all records within a specific collection are unique and details exposed included full names, dmails and phone numbers, linkedIn URLs and profile handles, employment histories, degrees, certifications, location data, social media accounts and more.
The database was discovered on 23 November 2025, with the instance’s owners securing it two days later. Researchers do not know how long the instance was exposed.
At the time of publication, the owner of the leaked database has not been confirmed.
A ‘Shocking’ Data Leak
Noelle Murata, Sr. Security Engineer at Xcape Inc, said: “This data leak is shocking, not just because of its sheer size, over 4 billion records and 16 terabytes, but because it’s meticulously organized. It’s LinkedIn-sourced information, mapping individuals, their employers, and company connections, which is exactly what attackers need for sophisticated phishing and business email compromise (BEC) attacks. The unique data collections and intent suggest a curated enrichment process, transforming scraped data into a ready-to-use targeting tool.
Murata added that leaving a MongoDB instance unprotected is a basic error, butthe ramifications are significant. “Years of employment histories, contact networks, and social connections, all difficult to change or mitigate. With the owner still unidentified, victims can’t even hold anyone accountable or demand fixes, a concerning trend in large-scale data breaches.”
“This isn’t a hack, but a blatant oversight,” she said. “A simple misconfiguration exposed a huge amount of sensitive corporate relationship data for an unknown period. The unknown owner now faces immense liability, essentially providing bad actors with an unauthorized, pre-built resource.
“When security posture management is ignored, a single misconfigured database becomes a multi-billion-dollar master key for global corporate espionage.”
This Won’t Be the Last
Aaron Colclough, VP of Operations at Suzu Labs, commented: “This isn’t the first time we’ve seen MongoDB misconfigurations expose millions of data points, and it likely won’t be the last. The ‘secure by default’ principle still isn’t being followed leaving these databases often deployed with authentication disabled for convenience during development, then pushed to production without remediation.”
According to Colclough, 4.3 billion records with 16 terabytes of enriched professional data is one of the largest exposures of business intelligence data the industry has seen. “It’s complete professional dossiers including employment history, education, certifications, and behavioral intent data. This is a social engineering goldmine. The ‘intent’ collection with over 2 billion documents is particularly concerning. Combined with the profile data, this enables highly targeted spear-phishing campaigns that reference specific professional interests or recent activities.
“Most professionals don’t realize that their LinkedIn profile, employment history, and even behavioral patterns are being aggregated, enriched, and sold by platforms they’ve never heard of. When these data brokers fail to secure their databases, the professionals whose data they’ve collected suffer the consequences, but have no contractual relationship to seek damages.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.