QA DB with non-masked data

Greentings fellows

recently, I just achieve access to a database of a proyect. So there I found some sensitive data, like providers numbers, telephones, e-mails that I have checked and are genunine. Also I found other Identification numbers, that are subject of asset freezing, members of ilegal groups

Despite is a database labeled with qa at the begining. This should reported as leakage of businees information ?

thanks for your help, always apreciated as usual

1 Like

More importantly if you could access a database from anywhere you must report FIN.S.0024. Unrestricted network access because a database should only be accessed by its application and one administrative segment, there is the vulnerability.

Even though the database is from QA we cannot ensure that the production environment is not misconfigured as well. And finally If that database is from a cloud provider an attacker could send infinite number of queries and that data usage is money lost for the company.

Also, if you’re 100% sure that that sensitive data is real then yes you should report it as leakage of business information but be sure to report the first one.


Must be reported. Test data should be masked, if the test data is real, there is a big issue.


yeah I found documents on internet of the providers. Kudos Martian-wolf and blue-snot