A publicly-accessible database with information on roughly 80 million American households has been discovered on a Microsoft cloud server, representing more than half of the total number of U.S. households.
While at the moment there is no information pointing at who is the company who left the 24 GB worth of data exposed, vpnMentor’s research team in collaboration with hacktivists Noam Rotem and Ran Locar—who found the unprotected database on a Microsoft cloud server—are currently in the process of identifying its owner(s).
The fact that all entries found in the database contain the "member_code" and "score" point to the huge collection of information belonging to a service which used it as a member tracking tool.
The leaked household data
As described in the report published by Rotem and Locar, the leaked database was used to organize the information in a "household" format instead of focusing on the individuals as most such data collections do.
The leaked info includes:
- Full addresses, including street addresses, cities, counties, states, and zip codes
- Exact longitude and latitude
- Full names, including first, last, and middle initial
- Age
- Date of birth
While there's a lot of data available in human-readable form, the database also contains coded info presented in the form of "internally-assigned numerical values" related to:
- Title
- Gender
- Marital status
- Income
- Homeowner status
- Dwelling type
"This isn’t the first time a huge database has been breached. However, we believe that it is the first time a breach of this size has included peoples’ names, addresses, and income," stated Rotem and Locar. "This open database is a goldmine for identity thieves and other attackers."
Why it stands out
Even though data breaches have become very common, this leaked database stands out for at least a couple of reasons not taking into account the fact that 80 million households translates in a huge number of individuals being affected, somewhere in the range of hundreds of millions of people having their addresses, locations, and dates of birth exposed.
First of all, all the entries stored in the database are of people under 40, this being the only item of information connecting all the individuals part of the approximately 80 million households.
Secondly, every entry in the leaked collection of households comes with an "income" and "homeowner" tag which could be related to "an internal ranking system, a tax bracket, or an actual amount."
However, as the vpnMentor report states, this would mean that the info found in the publicly-accessible database is owned by a mortgage or insurance company. Despite this, there is no specific information on payments, social security numbers, or account numbers, something that such a collection of data should include.
Rotem was behind another important discovery back in January, when he found that attackers could potentially view and change private info in flight bookings made by millions of major international airlines' customers because of a security issue present in the Amadeus online booking system.
.jpg)
Comments
Josephscottstevens - 4 years ago
What the heck? Are there still dinosaurs that believe data privacy on the internet is like... Newsworthy?
This just in. If your data is on the internet, or accessible from the internet. It's not private! By definition!
If you don't want data to be "leaked". Don't put it on the internet.
And if you do put it on the internet, don't whine when someone "leaks it".
Warthog-Fan - 4 years ago
The only way to keep your personal info OFF of the internet is NOT USE the internet. In today's world, that is still possible, but would be difficult to do.
zingo156 - 4 years ago
The problem with keeping your data off of the internet is, it is nearly impossible. Think about things like hospital visits where everything is logged, put into a digital database that is likely accessible by other hospitals clear across the country. What about a vehicle you purchase, do they enter your data into their database which is stored online? What about a home purchase? Credit companies track info and keep it online. With many/most companies moving data to the cloud/online, it has become much harder to secure that data. Even if you think you are keeping your data offline, likely, somewhere, it is out there. It seems better protection for the consumer is needed and maybe stronger penalties for these breaches.
pbergonzi - 4 years ago
I just now had to log in to post a comment--is this a phishing scam?