Security Experts:

Connect with us

Hi, what are you looking for?


Data Protection

Misconfigured Database Exposes Details of 191 Million Voters

A misconfigured database whose owner has yet to be identified exposes the personal details of 191 million U.S. voters, researcher Chris Vickery has warned.

A misconfigured database whose owner has yet to be identified exposes the personal details of 191 million U.S. voters, researcher Chris Vickery has warned.

The database containing the records of more than 191 million individuals, totaling over 300 gigabytes of information, includes names, gender data, home addresses, mailing addresses, phone numbers, dates of birth, party affiliations, and other details dating back to 2000.Voter database found online

Vickery and others have searched the database for their own records and found that the details stored in it are accurate. Another concerning aspect is that the publicly accessible database also includes the records of police officers.

Fortunately, social security numbers and driver’s license numbers are not affected. However, the leaked information still poses serious security and privacy risks.

The researcher has identified dozens of leaky databases over the past month and he has done his best to contact impacted organizations. However, in this case, tracking down the operator of the database appears to be a difficult task.

Vickery has been assisted by and Steve Ragan of Salted Hash in trying to identify the entity responsible for the database, but they haven’t had any success and the database is still online. and Ragan have contacted a congressman’s political action committee (PAC) and several political data firms, including Political Data, L2 Political, Aristotle, NGP VAN and Catalist.

Based on the format of the exposed data, the main suspect appears to be NationBuilder, a platform used by political campaigns worldwide. However, the company told that the database’s IP address is not theirs and it’s not associated with any of their hosted clients.

In 2012, NationBuilder announced its intention to compile a free nationwide voter file database containing 170 million accurate records. The service currently boasts over 190 million U.S. voters.

“While the database is not ours, it is possible that some of the information it contains may have come from data we make available for free to campaigns. From what we’ve seen, the voter information included is already publicly available from each state government so no new or private information was released in this database,” NationBuilder founder and CEO Jim Gilliam said in a statement sent to SecurityWeek.

“We strongly believe in making voter information more accessible to political campaigns and advocacy groups, so we provide cleaned versions of that publicly accessible information to them for free. We do not provide access to anyone for non-political purposes or that would violate any state’s laws. Each state has different restrictions, and we make sure that each campaign understands those restrictions before providing them with any data. It is vital that everyone running for office knows who is registered to vote in their district,” Gilliam added. has reached out to both the FBI and the California Attorney General’s Office, but it’s unclear what steps these organizations have taken to identify the owner of the database and to address the issue.

Vickery’s research has focused on Amazon AWS S3 buckets and MongoDB databases. However, in this case, the expert told SecurityWeek that he is not disclosing any details until the database is secured.

In the United States, each state decides what information to include in voted databases, sets restrictions for the use of the database, and determines the cost of the database.

While in many states there are no restrictions on how voter data can be used, there are some states that allow use only for political or election purposes, while others strictly prohibit commercial use.

Other Leaky Databases

Vickery has identified dozens of poorly configured database management systems that at one point exposed more than 30 million credentials. The list of leaky databases identified by the expert are associated with MacKeeper, Hello Kitty owner Sanrio, Alliance Health, Uncle Maddio’s Pizza Joint, OkHello, Slingo and many others.

The expert informed SecurityWeek over the weekend that AARP, previously known as the American Association of Retired Persons, operates a database that exposes the details of 1.4 million accounts associated with people who signed up on AARP’s Life Reimagined website.

Vickery said he contacted AARP on December 19, but the issue still hasn’t been addressed. AARP has not responded to SecurityWeek’s request for comment by the time of publication.

*Updated with statement from NationBuilder

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cybersecurity Funding

CommandK announced that it has raised $3 million in a seed funding round for a solution designed to help organizations secure sensitive data.

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...