Brinztech Alert: Alleged 1.8 TB Ernst & Young (EY) Database is on Sale (Likely the 4TB Cloud Leak)

Dark Web News Analysis

A threat actor on a hacker forum is advertising the sale of a 1.8 TB database allegedly belonging to Ernst & Young (EY).

Brinztech Analysis:

• The “1.8 TB” vs. “4 TB” Discrepancy: This listing is assessed with high confidence to be the compressed version of the massive 4 TB SQL Server backup (.BAK) that was discovered exposed on a public Azure container in late October 2025 by researchers at Neo Security. SQL backups typically compress at a 2:1 ratio, making a 1.8 TB archive perfectly consistent with the 4 TB uncompressed file.
• The Confirmed Incident: In late October 2025, EY confirmed a cloud misconfiguration exposed a massive backend database. While EY stated the data was “secured” within a week and involved an acquired subsidiary (EY Italy), the fact that it is now for sale suggests threat actors exfiltrated the file before it was locked down.
• Alternative Possibility: The “1.8 TB” figure also matches the exact size of the Logitech data leak (1.8 TB) claimed by the Cl0p ransomware gang in November 2025. While less likely given the specific naming of EY, threat actors sometimes mix up metrics in “dump” posts.

Key Cybersecurity Insights

This sale confirms that the “secured” cloud exposure was likely harvested by malicious actors:

• “Secured” Does Not Mean “Safe”: Even though the open Azure bucket was closed in October, this sale proves the “race condition” was lost. Automated scanners or threat actors likely downloaded the file during the exposure window.
• Critical Infrastructure Data: The exposed database (.BAK) reportedly contains API keys, session tokens, service account passwords, and authentication credentials. This is not just customer PII; it is a blueprint of the company’s internal infrastructure.
• Supply Chain Risk: If this data includes credentials for EY’s consulting platforms or client portals, it could be used to launch supply chain attacks against EY’s global client base.
• Financial Motive: The sale on a forum indicates the actor is looking to monetize the data quickly, rather than using it solely for a targeted attack, increasing the risk of it falling into the hands of ransomware groups or Initial Access Brokers.

Mitigation Strategies

In response to this claim, EY clients and partners should take defensive measures:

• Rotate Shared Credentials: If your organization has shared API keys, service accounts, or secrets with EY (especially related to the Italian subsidiary or recent projects), rotate them immediately.
• Review Access Logs: Audit logs for any unusual activity from EY-associated accounts or IP addresses, as the leaked session tokens could theoretically be used for persistence if not invalidated.
• Enhanced Monitoring: Security teams should monitor for the use of the specific leaked API keys or service accounts identified in the 4TB dataset.
• Vendor Risk Assessment: Request confirmation from EY regarding the specific scope of the 4TB exposure and whether your organization’s data was part of the specific SQL backup file.

Secure Your Business with Brinztech — Global Cybersecurity Solutions Brinztech protects organizations worldwide from evolving cyber threats. Whether you’re a startup or a global enterprise, our expert solutions keep your digital assets safe and your operations running smoothly.

Questions or Feedback? For expert advice, use our ‘Ask an Analyst’ feature. Brinztech does not warrant the validity of external claims. For general inquiries or to report this post, please email us: contact@brinztech.com