Back to Blog

Nextcloud Data Leak: 367,000 Records Exposed by a Misconfigured Database

Disclosure: This article contains affiliate links. We may earn a commission at no extra cost to you.

Nextcloud is supposed to be one of the good guys. It is the German, open-source, self-hosted answer to Google Drive and Dropbox. It is a headline part of "Euro-Office," the European alternative to Microsoft 365 and Google Workspace. Its whole pitch is that you keep your data on your own servers, in Europe, away from American Big Tech.

So it stings that Nextcloud just leaked 367,000 internal records to the open internet.

Security researchers at Cybernews found an unprotected database, roughly 7.92 GB of Nextcloud's own files, sitting online with no password. In this guide we break down exactly what leaked, why "sovereign" and "self-hosted" do not automatically mean "secure," and the practical steps you can take to protect yourself from the fallout.

Quick summary: A misconfigured Elasticsearch database exposed 367,000 Nextcloud records, including invoices, contracts, emails, and setup scripts with hardcoded credentials. Nextcloud's software was not at fault. The leak is now closed, but the exposed data is a gift to phishing scammers.

What Happened?

On May 18, 2026, the Cybernews research team discovered a publicly accessible Elasticsearch cluster holding 367,000 records and nearly 8 GB of data. Elasticsearch is a popular search and analytics database that companies use to manage large volumes of information. It is powerful, and it is also notoriously easy to leave exposed if you miss a setting.

That is exactly what happened here. The cluster was reachable from the public internet with no authentication in front of it. Anyone who knew the address, or any bot that stumbled across it, could read the contents.

An investigation confirmed the data belonged to Nextcloud itself. All of the records lived in a single index of internal company files. Nextcloud acted quickly once it was told: the company closed the exposed dataset on May 27, two days after the researchers reported it, and notified the relevant state data protection officer as required under the GDPR.

Nextcloud told Cybernews that it found no evidence anyone misused the data, and that no customer, partner, or user servers were affected. A company spokesperson was clear about the cause:

"The issue was caused by a misconfiguration of our hosting infrastructure and is not related to the Nextcloud solution. No other Nextcloud servers belonging to our customers, partners or other users have been affected by this issue."

That distinction matters, and we will come back to it. But first, the uncomfortable part: what was actually in those 367,000 records.

What Was Exposed?

The worrying detail is that a lot of the data was unencrypted, sitting in plain, readable form. Cybernews reported the following categories inside the exposed cluster:

  • Invoices that Nextcloud sent to clients and received from suppliers. These revealed employee email addresses, client company names and addresses, and the email addresses of people who invoiced Nextcloud.
  • Contracts and business documents, including templates and summaries with partnership details such as scope of work, user base size, and terms between Nextcloud and its clients.
  • Email messages stored as .eml files, complete with message content, timestamps, and sender and recipient addresses.
  • Setup scripts. Shell and Python scripts built to help clients install and manage Nextcloud on their own infrastructure. Crucially, some of these scripts contained hardcoded database credentials.
  • Beta sign-up lists revealing the full names and work email addresses of people who registered for beta features and integrations.
  • File metadata, such as HTTP headers, file paths and names, and lists of people that files were shared with. Most of those entries showed first names of likely Nextcloud staff, but some external email addresses appeared too.

Among the external email domains in the data, researchers spotted well-known hosting providers IONOS and STRATO, along with German government institutions such as MSB NRW, the Ministry of Schools and Education of the state of North Rhine-Westphalia.

Why hardcoded credentials are so dangerous: When a setup script contains a database password in plain text, anyone who reads that script gets a working key. Those scripts were written for clients to run on their own systems, which means the leak did not just expose Nextcloud. It handed attackers a map, and in some cases the keys, to probe client environments too.

The Uncomfortable Irony: Sovereignty Is Not Security

Here is why this leak deserves more than a shrug. Nextcloud is not a careless startup. It is one of the most visible symbols of European digital independence. Governments and companies across the EU adopt it precisely because they want to stop sending their documents to American cloud giants. "Euro-Office" positions it as core infrastructure for a Europe that controls its own data.

And yet a single wrong setting on a hosting server exposed a third of a million records anyway.

The lesson is not that Nextcloud is bad, or that self-hosting is a mistake. The lesson is that where your data lives is a different question from how well it is protected. Choosing a European provider gives you better legal protection and keeps your files out of reach of foreign surveillance laws. Those are real benefits. But sovereignty does nothing to stop a misconfigured database from being left open.

The Cybernews team put it plainly:

"The data leak reveals that data security is important regardless of where the files are stored. Even though Nextcloud offers storage solutions that are set up and maintained on client servers, it does not mean that security measures should end there, too."

If you moved your files to a European or self-hosted platform for privacy reasons, that is a smart choice. Just do not assume the badge on the box means the job is done. Security is a practice, not a label.

How Do Databases End Up Exposed Like This?

Exposed databases are one of the most common causes of data leaks, and they almost always come down to human error rather than clever hacking. A database like Elasticsearch is built to be accessed over the network. If you forget to put authentication in front of it, or you bind it to a public network interface instead of a private one, it becomes readable by anyone.

The internet does the rest. Automated bots constantly crawl the web looking for open databases, misconfigured storage buckets, and services with default passwords. They do not need to target a specific company. They simply scan huge ranges of IP addresses and flag anything that answers without a password. This is why researchers found the Nextcloud cluster, and it is why attackers might have found it too. As Cybernews noted, "if our team managed to discover the exposed dataset, threat actors may have too."

Related reading: This is the same pattern behind many recent incidents. See how a third-party analytics vendor exposed 201 million records in the PornHub tracking breach, and how a Dutch telecom lost millions of records in the Odido data breach.

The Real Risk to You: Targeted Phishing

Nextcloud says it has no evidence the data was misused, and the database is now closed. That is good news. But once information has been exposed, you cannot un-expose it, and the most likely fallout from a leak like this is not dramatic hacking. It is patient, convincing fraud.

Think about what a scammer can do with a leaked invoice or contract. They know a real client name, a real project, real amounts, and real email addresses on both sides. With those details, they can send a message that looks exactly like a genuine follow-up from Nextcloud or from a client, asking you to pay an "updated" invoice, confirm account details, or open a document. This is social engineering, and it is how many of the biggest recent breaches started, including the wave of attacks against Salesforce customers.

Employees of both Nextcloud and its clients are the obvious targets. But the technique is universal, and the defenses are the same for everyone.

How to protect yourself

  1. Treat unexpected invoices and payment requests as guilty until proven innocent. If an email references a real project but asks you to pay a new account number or click a link, verify it through a channel you already trust, such as a phone number you look up yourself.
  2. Learn the anatomy of a phishing email. Look at the real sender address, hover over links before clicking, and be suspicious of urgency. Our guide on how to spot email scams walks through a real example.
  3. Use a browser or DNS layer that blocks known malicious links. Filtering tools stop many phishing pages before they load, even if you click by mistake.
  4. Reduce your exposure ahead of time. Use a separate email for sign-ups, turn on two-factor authentication everywhere, and follow a regular routine like our 2026 privacy checklist to shrink how much of your data is floating around.

Extra layer against malicious links: A VPN cannot stop a company from misconfiguring its database, and we will not pretend otherwise. But if you want built-in protection against the phishing and malware links that follow a leak like this, NordVPN's Threat Protection blocks known malicious sites and trackers before they load, on top of encrypting your connection. It is a useful safety net when scam emails start arriving.

What Organizations Should Take Away

If you run infrastructure, this leak is a checklist in disguise. The mistakes here are common and preventable:

  • Never expose a database to the public internet. Bind it to a private network, put it behind a firewall, and require authentication. A database should not answer strangers.
  • Encrypt sensitive data at rest. Much of the Nextcloud data was readable in plain text. Encryption turns a catastrophic leak into a far less useful one.
  • Never hardcode credentials in scripts. Use environment variables or a secrets manager. A password in a script is a password waiting to leak.
  • Scan your own attack surface. The bots looking for your open services already exist. Run the same checks yourself, regularly, before someone else does.

Common Questions About the Nextcloud Data Leak

Was my personal data exposed?

The exposed database held Nextcloud's internal files, so the affected people are mostly Nextcloud staff and their business clients. If you work for Nextcloud, work for a Nextcloud client, or signed up for a Nextcloud beta, your name and work email may be in the data. If you simply run your own Nextcloud instance at home or at work, you were not affected, because the leak did not touch customer servers.

Was this a flaw in the Nextcloud software?

No. Nextcloud says the leak came from a misconfiguration of its hosting infrastructure, not the application. An Elasticsearch database was left open to the internet without authentication. The self-hosted software that customers run on their own servers was not involved.

Does using a European or self-hosted cloud make my data safe?

It helps with data sovereignty and legal protection, but it does not make you safe by default. This incident shows that even a European, privacy-focused, self-hosting company can expose data through a simple mistake. Security depends on how a system is configured and maintained, not on which country it sits in.

What should I do if I might be affected?

Assume your contact details could be used in a phishing attempt. Be extra careful with unexpected invoices, payment changes, and login prompts. Turn on two-factor authentication, and consider changing passwords on any account that reused an exposed email. Watch our phishing guide for the warning signs.

How can I check what my own connection reveals?

You cannot see inside a company's database, but you can see what your own device exposes online. Visit myip.foo to check your public IP address, and run our DNS leak test and WebRTC leak test to confirm your network is not quietly revealing more than you think.

Conclusion

The Nextcloud data leak is a small breach with a big lesson. No customer servers were hit, the exposed database is closed, and there is no evidence of misuse. But 367,000 internal records, many in plain text and some carrying hardcoded credentials, is not a rounding error. It is a reminder that the most damaging leaks rarely come from sophisticated attacks. They come from a checkbox someone forgot to tick.

It is also a reality check for the privacy-minded. Moving your data to a European, self-hosted, open-source platform is a genuinely good decision for sovereignty and legal protection. It is not a magic shield. Whoever holds your data, from the biggest American cloud to the most idealistic European alternative, still has to configure it correctly. Sovereignty is about who has jurisdiction over your data. Security is about who can actually reach it. You need both.

Check your own footprint: You cannot fix someone else's database, but you can tighten your own privacy. Head to myip.foo to see what your IP address reveals, then test for leaks with our DNS Leak Test and WebRTC Leak Test.