Records of 114 Million US Citizen and Companies Exposed Online

A huge database with over 114 million records of US citizens and companies has been discovered sitting online unprotected. The number of individuals impacted by the exposure is estimated to almost 83 million.

Researchers from HackenProof, a penetration testing company based in Estonia, found the massive cache of data via the Shodan search engine, in two Elasticsearch indices.

All the good stuff for a proper scam

One of the instances contained personal information of 56,934,021 US citizens, including sensitive details like full name, employer, job title, email and street address, ZIP code, phone number, and an IP address.

"Another index of the same database contained more than 25 million records with more of a “Yellow Pages” details directory: name, company details, zip address, carrier route, latitude/longitude, census tract, phone number, web address, email, employees count, revenue numbers, NAICS codes, SIC codes, and etc," the company informs in a blog post.

A fact sheet from the company sets the total number of records discovered to 114,686,118 and the people affected to 82,851,841.

Such details are a valuable asset for fraudsters who can use them to target companies and individuals with more efficient spear-phishing emails. Cold calling is another method they can use to scam businesses and individuals.

The researchers were not able to determine the owner of the data but believe it may belong to a 10-year old data management company called Data & Leads Inc. (cached link) based in Toronto, Canada.

Records no longer available

The root cause for the information exposure was a misconfiguration of the Elasticsearch instances that allowed public access to the data without authentication.

This type of mistake is typically exploited by cybercriminals who often plant malware to connect remotely to the server and leverage its resources or to ask for a ransom in exchange for the data they already deleted. 

Sometimes the crooks don't copy the information, so the victim gets nothing even if they comply with the ransom demand.

HackenProof says they received no response from the a Data & Leads representative, but their website went offline before publicly disclosing the privacy blunder. Also, the database is no longer open for access.

It is unclear how long the information was exposed. Shodan indexed it on November 14, but this is just the timestamp when the search engine became aware of its existence online. It may have been available for a longer period and that others accessed it.