An unsecured Apache Airflow server at cloud data storage contractor Agilisium exposed internal FTP credentials, SQL passwords and AWS secret access key and password information for Universal Music Group.

Researchers at the Kromtech Security Center, who discovered the unprotected server, said in a blog post that because Airflow is wide open by default, organizations “must take the steps to secure the server,” steps that “were obviously skipped by whomever set up this server.”

By failing to adequately safeguard the server, “they inadvertently exposed everything,” Kromtech researchers wrote.

“The amount of damage a single contractor with lax security controls can do is staggering. If you don’t believe that, just ask Target and the HVAC contractor that led to that infamous breach,” said Bryan Gale, chief product office at CyberGRX. “Universal Music Group interacts with thousands of third parties on a daily basis, and it only took one – a contractor who forgot to password protect an Apache Airflow server – to leave the keys to the kingdom exposed.”

Gale said these incidents will continue “until organizations start prioritizing third-party risk management and actively maintain ongoing visibility into their ecosystem.”