How We Hacked BCG's Data Warehouse — 3.17 Trillion Rows, Zero Authentication — CodeWall

BCG's public-facing BCG X analytics platform exposed an unauthenticated SQL query endpoint that granted unrestricted access to a 131.2 terabyte workforce data warehouse containing 3.17 trillion rows of employment records, including 553 million position histories, 8.7 billion employee movement records, 12.8 billion skills mappings, and 7.8 billion compensation benchmarks from third-party vendors. The vulnerability was discovered through reconnaissance of publicly documented API endpoints, where most were properly secured but this critical database query interface lacked any authentication, API key, or session token verification despite being exposed on the public internet.

Visit Original Article →