Thousands of sensitive ’Israeli‘ army files exposed online: Report

• 'Israeli' newspaper Haaretz reveals thousands of sensitive ’Israeli‘ military documents were publicly accessible online without protection.
• Files labeled “life-threatening” exposed names of pilots, maps of bases, and cyber operations data.

The ’Israeli‘ newspaper Haaretz has revealed one of the most serious digital security failures to hit the 'Israeli' army in recent years, after discovering that thousands of sensitive military documents were publicly accessible online through an unprotected folder linked to the army spokesperson’s unit.

As many as two thousand five hundred ninety PDF files were stored on a commercial server without encryption or access restrictions. Some of the documents were indexed by Google, allowing anyone anywhere in the world to find and download them without any technical expertise, according to a report by Israeli cybersecurity researcher Ran Bar-Zik.

Pilots’ names and military maps exposed

The leaked materials included the full names of ’Israeli‘ air force pilots who took part in an airstrike on the city of Jenin in the occupied West Bank, as well as detailed maps of detention facilities and military bases.

The documents also contained information related to ’Israeli‘ cyber systems targeting Iran, in addition to internal reports from the army spokesperson’s unit itself.

Despite a military censor classifying the materials as “life-threatening information,” the army failed to close the security gap until six days after being formally alerted by Haaretz, prompting sharp criticism over the slow response by an institution widely regarded as technologically advanced.

Systemic failure, not an isolated error

Haaretz traced the breach to the spokesperson unit’s use of a commercial backup and file-sharing system that allowed documents to be distributed via electronic links.

Over recent years, the unit used these links to send statements and materials to journalists. The flaw, however, was that every uploaded document automatically became accessible through a publicly guessable link, including files that should never have been exposed.

The newspaper described the failure as twofold: a fundamental misunderstanding by users of how the system worked, and the absence of basic safeguards such as data encryption, access controls, protection against repeated login attempts, or blocking access from hostile countries.

“A simple Google search”

The breach was initially identified by Or Vialkov, a researcher who studies ’Israeli‘ wars and what he describes as terrorism, and who runs social media channels followed by tens of thousands.

“With a simple Google search, I found hundreds of indexed documents,” Vialkov said. “I realized this was a systematic practice, not a one-off mistake. Some documents included the full names of senior officers and air force pilots whose identities are usually carefully protected.”

He warned that the exposed information could be exploited by hostile actors, including Iran, potentially leading to attempts to harm or abduct those named. “This is a serious security breach that one would not expect from a military body such as the ’Israeli‘ army spokesperson’s unit,” he said.

Delayed response and prior cases

Haaretz reported that even after notifying the army and explaining the severity of the exposure, the initial response was dismissive. Only later did the military censor intervene, demanding that public references to the case be removed on the grounds that it involved “life-threatening information.”

Ultimately, the vulnerability was closed only after direct intervention by the newspaper, which explained that the technical fix required no more than four lines of code on a Microsoft server.

The paper noted that this was not the first time it had uncovered similar leaks involving the army spokesperson’s unit, raising questions about the effectiveness of declared security tightening measures.

Official reactions

The company operating the file-sharing system denied that a cyberattack had occurred, claiming the access was limited to publicly available areas. The ’Israeli‘ army said the system was civilian and non-classified, intended only for non-sensitive materials, while acknowledging that the delay in closing the breach was longer than appropriate.

Haaretz recalled that in November 2021 it exposed another incident in which hundreds of top-secret ’Israeli‘ security documents were made public on a government website due to an internal error.

Speaking to Al Jazeera Mubasher, Palestinian military and security analyst Major General Wasef Erekat described the latest leak as a major scandal for ’Israeli‘ security and intelligence agencies, especially given that the flaw was corrected only after media intervention.

“The documents contain names, numbers, and addresses of officers and officials,” Erekat said. “They include highly sensitive security information that could be exploited by international or Palestinian intelligence services to understand how the Israelis think, plan, and carry out their operations.”