According to Fox News, sensitive U.S. military emails spilled online after a government email cloud server was connected to the internet without a password. The cloud server was exposed for around two weeks, making it possible for anyone with internet access and knowledge of the server’s IP address to access the sensitive emails.

TechCrunch, who first reported on the spillage, revealed that Anurag Sen, a security researcher, found the exposed server. The server was hosted on Microsoft’s Azure government cloud for the Defense Department’s customers and can be used to share sensitive but unclassified government data.

According to TechCrunch, the server has several internal military messages containing sensitive personnel information, such as a completed SF-86 questionnaire.

Federal employees usually fill out an SF-86 questionnaire during the application for a security clearance. The questionnaire contains sensitive background information, such as personal and health information valuable to U.S. foreign adversaries.

The Defense Department’s U.S. Special Operations Command (USSOCOM) told TechCrunch in an email that the spillage was not a result of any hack.

 “We can confirm at this point is no one hacked U.S. Special Operations Command’s information systems,” USSOCOM spokesperson Ken McGraw said in an email.

McGraw also told CNN in an email that USSOCOM had begun investigating the server exposure while reiterating that no one hacked the “U.S. Special Operations Command’s information systems.”

While McGraw declined to provide further details on the department’s investigation, a spokesperson for the U.S. Cyber Command told The Hill that the department, as a matter of practice and operational security, does not comment on the status of its networks and systems.

“Our defensive cyber operators proactively scan and mitigate the networks they manage,” the spokesperson said in an email to The Hill. “Should any incidents be discovered during these regular operations, we fully mitigate, protect, and defend our networks and systems. Any information or insight is shared with relevant agencies and partners if appropriate.”

It’s unclear if anyone other than Anurag Sen had access to the server before the Defense Department was alerted.