ServiceNow tells customers a bug left some of their data exposed to the internet

ServiceNow patched a software bug on June 5 that allowed unauthenticated users to access enterprise customer data without passwords. While ServiceNow stated the issue affected Australian customer instances, reports from users on Reddit indicate potential external access to instances globally. The vulnerability exposed hosted data to anyone on the internet.

How did the ServiceNow bug expose customer data?

A software bug on the ServiceNow platform allowed users to bypass authentication, according to a knowledge base article shared on Reddit. This flaw meant that anyone with an internet connection could potentially gain “greater access” to hosted data than intended, without needing a password or credentials.

ServiceNow provides cloud-based automation for IT and HR systems, meaning the exposed data often includes sensitive business workflows. According to TechCrunch, these instances can store customer support tickets, which frequently contain passwords, API keys, and other credentials. This makes the platform a high-value target for attackers seeking a foothold in corporate networks.

Pro Tip: Security teams should regularly audit their OWASP Top 10 risks, specifically focusing on “Broken Access Control,” which is exactly what occurred in this ServiceNow incident.

Is the vulnerability limited to Australia?

There’s a discrepancy between official company statements and community reports. ServiceNow told TechCrunch the issue related to Australian customer instances. However, several users on Reddit who are not located in Australia claim they’ve found evidence of external access to their own instances.

Network defenders on Reddit have identified a specific IP address—51.159.98.241—as a potential indicator of compromise. If this IP appears in a customer’s logs, it suggests their data may have been accessed by an unauthorized party. ServiceNow did not immediately respond to TechCrunch’s requests for the total number of affected customers or the duration of the exposure.

What are the long-term risks of SaaS platform vulnerabilities?

This incident highlights a growing trend in “SaaS sprawl,” where companies rely on a few massive cloud giants to handle critical internal operations. When a platform like ServiceNow has a bug, the risk isn’t just a data leak; it’s a systemic vulnerability across thousands of enterprises simultaneously.

How To Fix ServiceNow Data With Background Scripts | Pharicode On Air

We’re seeing a shift toward “Identity-First Security.” Because the perimeter no longer exists in a cloud environment, the only real barrier is identity. When a bug allows “unauthenticated access,” that barrier vanishes. Future security trends will likely move toward Zero Trust Architecture, where the system assumes no user is trusted, regardless of whether they’ve bypassed a login screen.

Did you know? Many companies suffer from “Shadow IT,” where departments sign up for SaaS tools without IT oversight. This makes it nearly impossible for security teams to know which platforms need patching when a vulnerability like this is announced.

How can companies protect themselves from cloud bugs?

Since this was a platform-side bug, customers couldn’t have prevented the vulnerability itself. But they can limit the damage. The trend is moving toward “Data Minimization”—only storing the absolute minimum amount of sensitive data in a third-party cloud.

Experts suggest implementing robust logging and monitoring. If a company had been monitoring for unusual IP addresses (like the one reported on Reddit), they could have identified the breach in real-time rather than waiting for a vendor notification. Moving forward, the “Shared Responsibility Model” is evolving; customers are now expected to monitor their own cloud logs rather than trusting the provider’s security entirely.

Frequently Asked Questions

What is unauthenticated access?
It’s a security failure where a user can access private data or system functions without providing a username, password, or any other form of identity verification.

Who was affected by the ServiceNow bug?
ServiceNow stated Australian instances were affected, but community reports on Reddit suggest the impact may be global.

What should I do if I use ServiceNow?
Check your system logs for the IP address 51.159.98.241 and ensure your instance is updated with the June 5 patch.

Is your organization relying too heavily on a single SaaS provider? Share your thoughts in the comments below or subscribe to our newsletter for more deep dives into cloud security trends.