A database owned by the email delivery and marketing firm Maropost was reportedly found open and unsecured exposing about 95 million customer records.

Researchers at CyberNews initially found the database in early February noting it contained 19.2 million unique email addresses and marketing logs containing the relevant metadata for these emails, such as the exact date and time the emails were sent, who sent them and to whom.

The data resided on a Google Cloud server and was locked down on April 1. CyberNews claimed it tried multiple times using email, social media and the telephone to inform Maropost of the issue.

CyberNews said no PII was included in the database, but pointed out the email addresses and metadata could be used in phishing and BEC scams.

Kelly White, CEO of RiskRecon, said Maropost is not alone in its responsibility saying its customers must also make sure their data is being properly handled.

“It is also rooted in the failure of Maropost’s customers to hold them accountable to operating a strong security risk management program. Companies must operate robust third-party security risk management programs that hold their vendors accountable to implementing good security practices,” he said.

SC Media has contacted Maropost for comment.