Safeey.io
File Exposure

Exposed Database Backups: The Breach You Hand to Attackers

Picture a bank with reinforced vaults, armed guards, and biometric locks — and then a photocopy of everything in the vault left in a cardboard box by the back door, labelled "backup." That's what an exposed database backup is. All the effort you put into securing the live database is undone by a single downloadable file.

And it happens constantly.

How the file gets there

Nobody deliberately publishes their database to the internet. Exposed backups appear through small, forgettable mistakes:

  • You take a quick database dump to debug something — backup.sql, dump.sql, db.sql — and leave it in the project folder, which then gets deployed to the web root.
  • A migration or export tool writes a file into a public directory.
  • An automated backup process saves to a location that turns out to be web-accessible.
  • You compress the whole site — backup.zip, www.tar.gz, site-backup.zip — to move it somewhere, and forget to remove the archive.
  • A database admin tool leaves an export reachable.

None of these feel like "publishing my database." They feel like housekeeping. But the moment that file sits at a URL, it's public.

Why attackers love it

Finding an exposed backup is one of the highest-reward, lowest-effort things an attacker can do, because a backup usually contains everything at once:

  • Every user record — names, emails, addresses, phone numbers.
  • Password hashes, ready to be cracked offline at leisure.
  • Session tokens, API keys, and secrets stored in the database.
  • Your entire schema and business data — orders, messages, internal notes.

There's no exploit to write, no vulnerability to chain. It's a direct download. And crucially, it's silent: fetching a file leaves nothing in your logs that looks like an attack. You often have no idea it happened until the data shows up somewhere.

How they find files nobody linked to

Here's the part people underestimate. "But I never linked to that file — how would anyone find it?"

Attackers don't need a link. They use automated tools that request thousands of common filenames on every site they target: backup.sql, database.sql, dump.sql, db_backup.zip, backup.tar.gz, and hundreds of variations — including ones built from your own domain name (yoursite.com.zip, yoursite.sql). They fire the whole list at your server and see what returns a file instead of a "not found."

This is exactly the reconnaissance that runs against every public site, all day, every day. Your file doesn't need to be discoverable. It just needs to exist at a guessable path.

How to protect yourself

  • Never store backups in the web root. Keep them outside any directory the web server can serve, or in dedicated backup storage entirely off the machine.
  • Automate backups to private storage (an access-controlled bucket, not a public folder), and set retention so they don't pile up.
  • Clean up after debugging. That "quick dump" is the single most common culprit — delete it the moment you're done.
  • Configure your server to deny access to database and archive file extensions as a safety net.
  • Actively check whether any of the common backup paths on your own site return a file — because that's precisely what the attackers are checking.

Where Safeey comes in

This is one of Safeey's core strengths. On every scan, Safeey probes over a thousand common exposure paths — including hundreds of backup, dump, and archive filenames, and variations built from your own domain — and tells you exactly which ones are publicly reachable. Better still, it uses content analysis to avoid false alarms on sites that return a page for every URL, so a "backup found" from Safeey means a real, downloadable file. It's the difference between finding your exposed backup yourself, today, and having someone else find it first.

Scan your site with Safeey to see if a copy of your database is sitting in the open.

Found this useful? Share it.

See what your site exposes

Safeey runs 1,700+ checks and shows you exactly what an attacker would find — with the fixes.

Scan your site