Nextcloud Data Leak Puts 367,000 Staff and Client Records at Risk — Here’s What Happened

Nextcloud Data Leak Puts 367,000 Staff and Client Records at Risk — Here’s What Happened

Nextcloud left 367,000 internal records publicly accessible after a hosting mistake. Here’s what was leaked, who may face risks, and how you can better protect your information online from scams.

What Happened?

According to Cybernews, Nextcloud — a German company behind cloud and workplace software — left 367,000 internal records publicly accessible.

Researchers found the database on May 18, 2026. It held nearly 8GB of data, including information linked to Nextcloud staff and client companies.

Nextcloud said a hosting misconfiguration, or incorrect server setting, caused the leak. The company closed the database on May 27.

Nextcloud also reported the incident to the relevant state data protection officer.

The company found no evidence that anyone misused the leaked information. It also said customer, partner, and other user servers were not affected.

Still, leaked business details can create risks long after the original incident disappears from the news. Criminals may use real names, emails, invoices, or company relationships to make phishing messages look more believable.

It is also worth remembering that your information may already have been leaked in another incident without you knowing.

If you are not sure whether your information was leaked somewhere online, automatic monitoring can help you spot problems earlier.

Futureproof monitors your data for leaks 24/7 and helps you reduce scam risks with simple, clear steps.

Who Was Affected and What Data Was Leaked?

The records mainly involved Nextcloud staff and client companies. The exact number of affected people was not shared.

The leaked files included:

  • employee email addresses
  • client company names and addresses
  • invoices and contracts
  • email messages with timestamps, senders, and recipients
  • full names and work emails from beta feature signups
  • scripts, or small files with computer instructions, used to set up and manage Nextcloud for clients
  • details about business partnerships and services

Some scripts contained database login details written directly into the files.

Other files were unencrypted, meaning their contents were readable without extra protection. 

These details can help criminals make phishing emails, or fake messages designed to steal information or money, look more believable.

A message may mention a real supplier, contract, invoice, or work relationship.

The leaked scripts could also help attackers look for weak points in some client systems. However, the scripts alone would not provide full access.

How a Hosting Mistake Caused the Nextcloud Data Leak

Cybernews found the records in a database that was open to the internet. This was a data leak, not a confirmed break-in.

No one had to bypass a password or break into the system to view the files.

Nextcloud said an incorrect setting in its hosting system caused the problem.

Cybernews said automated bots, or computer programs, often search the web for open databases like this.

That means an open database can be found even when no person is searching for it manually.

Nextcloud fixed the setting after researchers reported it. The company has not found evidence that criminals accessed the leaked records.