ServiceNow Alerts Customers After Software Flaw Exposed Data Online

Cloud software giant ServiceNow has notified some enterprise customers after discovering a software bug that allowed data stored on certain customer instances to be accessed over the internet.

According to a knowledge base article shared on Reddit, ServiceNow said it patched affected customer instances on June 5 after identifying a flaw that allowed unauthenticated users to gain broader access to ServiceNow-hosted data than intended.

The vulnerability meant that individuals could potentially access information stored in customer instances without needing credentials such as usernames or passwords.

ServiceNow said the incident was not the result of a cyberattack. Instead, the activity was linked to security researchers who were testing the platform for vulnerabilities as part of a bug bounty programme.

“Alongside our own investigation, we have been in contact with the security researchers who initially reported this issue and can confirm that evidence of the observed activity came from those security researchers and customer research teams, not bad actors,” said ServiceNow spokesperson Courtney Johnson. “The security researchers have advised that their activity was solely for bug bounty submissions, and no data was used or retained.”

The company did not identify the researchers involved and has not disclosed how many customers may have been affected.

Because the incident stemmed from a software flaw rather than a breach, it remains unclear whether customers could have taken any steps to prevent the exposure before the issue was fixed.

ServiceNow provides cloud-based workflow and automation software used by thousands of organisations worldwide. Businesses rely on the platform to connect systems, automate internal processes, manage support requests, onboard employees, and power chatbot services.

Given the amount of sensitive information that can be stored in these environments, including credentials, passwords, and support records, platforms such as ServiceNow are often attractive targets for cyberattacks.

The company said the issue affected customer instances running its Australia releases. However, several Reddit users reported finding signs of external access involving other versions of ServiceNow software as well.

Cybersecurity professionals also shared the IP address 51.159.98.241, which they said could indicate potential data access activity if it appears in customer logs.

While ServiceNow maintains that security researchers rather than malicious actors conducted the observed activity, the incident underscores the importance of quickly identifying and addressing software vulnerabilities that could expose enterprise data.