Researchers have stumbled upon an unprotected database storing information on the individuals living in roughly 80 million households in the United States.
Noam Rotem and Ran Locar of vpnMentor came across the database as part of what the company calls a “huge web mapping project.” The database was 24 gigabytes in size and it was hosted on Microsoft cloud servers.
The exposed information includes the number of individuals living in a household, address, geographical location, full name, marital status, age, date of birth, gender, income bracket, homeowner status, and dwelling type. Interestingly, the database only appeared to store data on individuals aged over 40.
However, the researchers could not determine who the data belongs to and they have asked for help in identifying the owner. Fields named “member_code” and “score” suggest that it’s owned by a service provider.
“Interestingly, a value for people’s income is given (however, we don’t know if it’s a code for an internal ranking system, a tax bracket, or an actual amount),” vpnMentor said. “This made us suspect that the database is owned by an insurance, healthcare, or mortgage company. However, information one may expect to find in a database owned by brokers or banks is missing. For example, there are no policy or account numbers, social security numbers, or payment types.”
Microsoft told CNET that it notified the owner of the database and helped it remove the data until it can be secured.
Considering that there are roughly 127 million households in the United States, 80 million represents over 60 percent of the total. Since multiple people live in one household, the data leak could impact hundreds of millions of individuals.
“This isn’t the first time a huge database has been breached. However, we believe that it is the first time a breach of this size has included peoples’ names, addresses, and income,” vpnMentor said. “This open database is a goldmine for identity thieves and other attackers.”
vpnMentor believes the exposed information can be useful for a wide range of attacks, including targeted ransomware — the attacker knows the victim’s income so they know how much money to ask for — phishing, and other schemes that involve social engineering.
However, some experts believe people should not be worried about this data leak.
“This is not a goldmine for identity thieves, or even of significant note. It does not contains any payment card information, no social security numbers, no passwords, not even any email addresses. It would have very limited value on the dark web,” John Gunn, CMO of OneSpan, told SecurityWeek. “This is the type of information that countless marketers have been tracking and using for decades and is readily available. Yes, it could help hackers, but there are many other avenues to this type of information and no one should be worried about this, beyond concern for the generally poor security practices of the owner and whatever else they may not be protecting.”