A team of security researchers has claims to have found a publicly-accessible database that exposes information on more than 80 million U.S. households—nearly 65 percent of the total number of American households.
Discovered by VPNMentor’s research team lead by hacktivists Noam Rotem and Ran Locar, the unsecured database includes 24GB of extremely detailed information about individual homes, including their full names, addresses, ages, and birth dates.
The massive database which is hosted on a Microsoft cloud server also contains coded information noted in “numerical values,” which the researchers believe correlates to homeowners’ gender, marital status, income bracket, status, and dwelling type.
Fortunately, the unprotected database does not contain passwords, social security numbers or payment card information related to any of the affected American households.
The researchers verified the accuracy of some data in the cache, but they did not download the complete data in order to minimize the invasion of privacy of the affected ones.
The research team discovered the database accidently while running a web mapping project using port scanning to examine known IP blocks in order to find holes in web systems, which they then examine for weaknesses and data leaks.
Usually, the team alerts the database owner to report the leak so that the affected company could protect it, but in this case, the researchers were unable to identify the owner of the database.
“Unlike previous leaks we’ve discovered, this time, we have no idea who this database belongs to,” the team says in a blog post. “It’s hosted on a cloud server, which means the IP address associated with it is not necessarily connected to its owner.”
The unsecured Database was online until Monday and required no password to access, which has now been taken offline.
Since each entry in the database ends with ‘member_code’ and ‘score’ and no one listed is under the age of 40, the researchers suspect the database could be owned by insurance, healthcare, or mortgage company.
However, information like policy or account numbers, social security numbers, and payment types is missing from the database that someone may expect to find in a database owned by brokers or banks.
The researchers then called on the public on Monday to help them identify who might own the database in question so that it can be secured.
Though the database did not expose sensitive card information or SSNs, the disclosed data is enough to be concerned about identity theft, fraud, phishing scams, and even home invasion.
Rotem is the same security researcher who earlier this year found a severe vulnerability in the popular Amadeus online flight ticket booking system that could have allowed remote hackers to view and modify travel details of millions of major international airlines’ customers and even claim their frequent flyer miles.
Leave a Reply