California Voter Data Stolen from Insecure MongoDB Database

An improperly secured MongoDB database has provided cybercriminals with the possibility to steal information on the entire voting population of California, Kromtech security researchers reported.

The information was taken from an unprotected instance of a MongoDB database that was exposed to the Internet, meaning that anyone connected to the web could have accessed, viewed, or edited the database’s content. 

Named ‘cool_db‘, the database contained two collections, one being a manually crafted set of voter registration data for a local district, while the other apparently including data on the voting population from the entire state of California: a total of 19,264,123 records.

Bob Diachenko, head of communications, Kromtech Security Center, explains that the security firm was “unable to identify the owner of the database or conduct a detailed analysis.” It appears that the database has been erased by cybercriminals who dropped a ransom note demanding 0.2 Bitcoin for the data. 

Given the presence of said ransom note, the incident is believed to be related to the MongoDB ransack campaign that resulted in tens of thousands of databases being erased in January 2017. Similar attacks were observed in September as well, when MongoDB decided to implement new data security measures. 

“We were able to analyze the stats data we saw in our report (metadata on total number of records, uptime, names of the collection etc.), as well as 20-records sample extracted from the database shortly before it has been wiped out and ransom note appeared,” Diachenko says. 

Kromtech’s security researchers haven’t determined who compiled the voter database but believe that a political action committee might have been behind it, given the unofficial name the repository had. 

The miscreants behind the attack used ransomware to wipe out the voter data, but are believed to have copied the database to their server first. “Once in the hands of cyber criminals this voter data could end up for sale on the Dark Web. If this were an official database, deleting parts of that data could affect someone’s voting process,” the security researchers note. 

The first, smaller collection (4GB) contained data structured with rows containing many fields that included home address, phone number, date of birth, and many more.

Based on EstractDate information, the database appears to have been created on May 31, 2017.

The second, much larger collection (22GB) in the database, which appears to be the complete California voter registration records, contains a total of 409,449,416 records. 

The data in the larger collection includes: District, RegistrantId, CountyCode, DistrictName and ObjectId.

“This is a massive amount of data and a wakeup call for millions citizens of California who have done nothing more than fulfil the civic duty to vote. This discovery highlights how a simple human error of failing to enact the basic security measures can result in a serious risk to stored data. The MongoDB was left publically available and was later discovered by cyber criminals who seemed to steal the data, which origin is still unknown,” Diachenko concludes. 

The researchers note that the database has been taken down after being initially discovered in early December. The Secretary of State of California was aware of the leak and “looking into it,” Diachenko said. 

Related: Contractor Exposes Details of 198 Million American Voters

Related: MongoDB Tightens Security Amid New Database Attacks