AI Company Builder Has a Data Breach

Massive Data Breach Exposes Builder.ai’s 1.29 TB of Sensitive Information

In a concerning lapse of security, Builder.ai, a London-based tech firm specializing in AI-powered application development, left a substantial database exposed online without any password protection or encryption. The unsecured database contained over 3 million records, amounting to 1.29 terabytes of data, with sensitive information about clients, corporate operations, and technical infrastructure.
Details of the Breach

The unprotected database included customer proposals, NDA agreements, invoices, tax forms, screenshots of email exchanges, internal images, and more. Among the most critical files were two documents containing access and configuration details for cloud storage databases, complete with secret access keys. While these keys were not tested by the researcher who discovered them, they could have been exploited by malicious actors to access further confidential information.

Key categories of exposed data include:

337,434 invoices (18 GB of data).
32,810 master service agreements (4 GB), which included non-disclosure agreements revealing names, email addresses, IP addresses, project cost details, and other sensitive project data.

Identifying the Source

The database and its content pointed to Builder.ai, previously known as Engineer.ai before rebranding in 2019. The company operates globally, with offices across the US, Europe, Asia, and the Middle East.
Timeline and Response

The database was first identified on October 28, and the researcher promptly informed Builder.ai of the exposure. Despite the notification, the database remained accessible until November 27. In response to a follow-up inquiry, the company cited “complexities with dependent systems” as the reason for the delay in securing the data.

It is not yet clear if the database was directly managed by Builder.ai or an external contractor. Similarly, the duration of the exposure prior to its discovery and whether unauthorized parties accessed the information remains unknown. A forensic investigation would be necessary to uncover any additional breaches or suspicious activity.
Implications and Risks

This Builder.ai data breach highlights significant shortcomings in data security, particularly regarding access to sensitive corporate documents and technical configurations. The exposure of access keys, in particular, poses a critical risk, as they could have been misused to compromise additional systems.

This event underscores the vital importance of rigorous cybersecurity practices, especially for companies entrusted with handling large volumes of sensitive information in today’s interconnected digital landscape.