It's 2025, and your data still isn't safe in the hands of corporations that should know a lot better than to store it in an unencrypted database. And yet, stories like these continue to send shivers down the spines of cybersecurity experts everywhere.
This time, the leak involves a company called Netcore Cloud Pvt. Ltd, based in Mumbai, India. Netcore's website states that its AI-powered "comprehensive customer experience platform" is trusted by more than 6,500 brands around the world, so it's not like it's a small company.
An unencrypted database with roughly 40 billion records — coming out to about 13TB of data — was discovered by cybersecurity researcher Jeremiah Fowler, who tipped off Website Planet with his findings.
The 40 billion records contained "copious amounts of email addresses, message subjects, and more," as well as banking and healthcare notices, including "partial account numbers and specific information" deemed as too sensitive to be exposed publicly. Fowler says he "saw numerous records marked as confidential" while scouring the database.
I saw numerous records marked as confidential — all exposed, all unencrypted.
— Security researcher Anurag Sen, after discovering 13TB of marketing data left wide open.
Fowler says the database lacked password protection and encryption of any sort, meaning anyone who stumbled on (or was tipped off to) the database could freely browse its contents.
Upon discovering the security faux pas, Fowler contacted Netcore, as much of the information he found was connected to the company. Fowler says that access to the open database was restricted on the same day he sent the notice.
It's important to point out that it remains unclear if Netcore itself was managing the database or if the task was farmed out to a third party. Fowler also has no idea how long the unencrypted information was on the web, or if anyone else had accessed it before he tipped off Netcore.
Bad actors can do a lot of damage with only a few emails
You might be surprised at the ingenuity working behind the scenes of hacking and phishing schemes. Unfortunately, it doesn't take a lot of information for bad actors to get started on their next scam.
As Fowler points out in his report, email addresses and records can be enough for bad actors to create a profile of a victim, which can ultimately lead to a higher chance of being successful with phishing attempts.
Say a bad actor knows that a specific email address — which often contains a full name — receives messages from a specific company, like a telecom. The scammer could create an email that looks official, asking for sensitive details within the scope of your working relationship with the telecom.
These details, which are readily handed over to an entity you believe is legitimate, can then be added to the profile that's already underway. With enough work, risks of "social-engineering, account or password recovery, or even account takeover attempts" are possible.
Fowler makes it clear that he's not implying that this data breach related to Netcore has resulted in this sort of criminal activity, but that he's only giving hypothetical situations for "educational purposes."
Add it to the pile of major data breaches in 2025
The 13TB trove of potentially sensitive data uncovered by Fowler is, unfortunately, just another unnerving cyber situation in 2025.
Working back in time from the present, there was the notable Discord data breach from earlier this month that saw the ID photos and personal data of 70,000 users leak out. The hackers demanded a $5 million ransom before dropping it to $3.5 million; Discord refused to pay.
Then there was the September Plex leak involving emails and hashed passwords, which resulted in a strong suggestion from Plex for users to change their credentials.
In June, it was reported that 16 billion accounts and their credentials — aka "the largest data breach" — had been exposed, including passwords for Facebook, Google, and Apple.
This wasn’t a breach. It was a billboard.
— 40 billion records, including names, emails, and device info, left exposed by a company that sells trust for a living.
And in April, Elon Musk's X — formerly known as Twitter — was hit by a data leak containing 2.8 billion user IDs. The hackers claimed that they attempted to contact X with the information; following repeated rebukes, the hackers released the information publicly.
So, what can you do to mitigate the chances of your data leaking out to the public? Unfortunately, once it's in the hands of a corporation, there's not much that you can do other than hope security measures are up to snuff.
All I can say is, remain vigilant about email phishing attempts. Don't click links you don't recognize, and always check a sender's email address for irregularities. Stay away from unsecured websites, and keep your PC up to date.
As always, use strong passwords (ideally randomly generated using a password manager), update them frequently, and use multi-factor authentication in case anyone does get a hold of your credentials.
Follow Windows Central on Google News to keep our latest news, insights, and features at the top of your feeds!
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
