A misconfigured database whose owner has yet to be identified exposes the personal details of 191 million U.S. voters, researcher Chris Vickery has warned.
The database containing the records of more than 191 million individuals, totaling over 300 gigabytes of information, includes names, gender data, home addresses, mailing addresses, phone numbers, dates of birth, party affiliations, and other details dating back to 2000.
Vickery and others have searched the database for their own records and found that the details stored in it are accurate. Another concerning aspect is that the publicly accessible database also includes the records of police officers.
Fortunately, social security numbers and driver’s license numbers are not affected. However, the leaked information still poses serious security and privacy risks.
The researcher has identified dozens of leaky databases over the past month and he has done his best to contact impacted organizations. However, in this case, tracking down the operator of the database appears to be a difficult task.
Vickery has been assisted by DataBreaches.net and Steve Ragan of Salted Hash in trying to identify the entity responsible for the database, but they haven’t had any success and the database is still online. DataBreaches.net and Ragan have contacted a congressman’s political action committee (PAC) and several political data firms, including Political Data, L2 Political, Aristotle, NGP VAN and Catalist.
Based on the format of the exposed data, the main suspect appears to be NationBuilder, a platform used by political campaigns worldwide. However, the company told DataBreaches.net that the database’s IP address is not theirs and it’s not associated with any of their hosted clients.
In 2012, NationBuilder announced its intention to compile a free nationwide voter file database containing 170 million accurate records. The service currently boasts over 190 million U.S. voters.
“While the database is not ours, it is possible that some of the information it contains may have come from data we make available for free to campaigns. From what we've seen, the voter information included is already publicly available from each state government so no new or private information was released in this database,” NationBuilder founder and CEO Jim Gilliam said in a statement sent to SecurityWeek.
“We strongly believe in making voter information more accessible to political campaigns and advocacy groups, so we provide cleaned versions of that publicly accessible information to them for free. We do not provide access to anyone for non-political purposes or that would violate any state’s laws. Each state has different restrictions, and we make sure that each campaign understands those restrictions before providing them with any data. It is vital that everyone running for office knows who is registered to vote in their district,” Gilliam added.
DataBreaches.net has reached out to both the FBI and the California Attorney General’s Office, but it’s unclear what steps these organizations have taken to identify the owner of the database and to address the issue.
Vickery’s research has focused on Amazon AWS S3 buckets and MongoDB databases. However, in this case, the expert told SecurityWeek that he is not disclosing any details until the database is secured.
In the United States, each state decides what information to include in voted databases, sets restrictions for the use of the database, and determines the cost of the database.
While in many states there are no restrictions on how voter data can be used, there are some states that allow use only for political or election purposes, while others strictly prohibit commercial use.
Other Leaky Databases
Vickery has identified dozens of poorly configured database management systems that at one point exposed more than 30 million credentials. The list of leaky databases identified by the expert are associated with MacKeeper, Hello Kitty owner Sanrio, Alliance Health, Uncle Maddio’s Pizza Joint, OkHello, Slingo and many others.
The expert informed SecurityWeek over the weekend that AARP, previously known as the American Association of Retired Persons, operates a database that exposes the details of 1.4 million accounts associated with people who signed up on AARP’s Life Reimagined website.
Vickery said he contacted AARP on December 19, but the issue still hasn’t been addressed. AARP has not responded to SecurityWeek’s request for comment by the time of publication.
*Updated with statement from NationBuilder