A contractor managed a part of Universal Music Group’s IT systems had deployed an instance of an Apache Airflow server without securing it with a password. Airflow servers are meant to be deployed inside internal networks, hidden behind firewalls. By default, such servers don’t use authentication by default. But a security researcher discovered an instance open wide on the Internet earlier this month. The leak exposed FTP credentials, AWS configuration details (secret access key and password), and internal source code for Universal Music’s IT network.
Source: https://www.bleepingcomputer.com/news/security/contractor-exposes-credentials-for-universal-music-groups-it-infrastructure/