Connect with us

Hi, what are you looking for?


Cloud Security

Unprotected Database Stored Information on 80 Million U.S. Households

Researchers have stumbled upon an unprotected database storing information on the individuals living in roughly 80 million households in the United States.

Researchers have stumbled upon an unprotected database storing information on the individuals living in roughly 80 million households in the United States.

Noam Rotem and Ran Locar of vpnMentor came across the database as part of what the company calls a “huge web mapping project.” The database was 24 gigabytes in size and it was hosted on Microsoft cloud servers.

The exposed information includes the number of individuals living in a household, address, geographical location, full name, marital status, age, date of birth, gender, income bracket, homeowner status, and dwelling type. Interestingly, the database only appeared to store data on individuals aged over 40.

However, the researchers could not determine who the data belongs to and they have asked for help in identifying the owner. Fields named “member_code” and “score” suggest that it’s owned by a service provider.

“Interestingly, a value for people’s income is given (however, we don’t know if it’s a code for an internal ranking system, a tax bracket, or an actual amount),” vpnMentor said. “This made us suspect that the database is owned by an insurance, healthcare, or mortgage company. However, information one may expect to find in a database owned by brokers or banks is missing. For example, there are no policy or account numbers, social security numbers, or payment types.”

Microsoft told CNET that it notified the owner of the database and helped it remove the data until it can be secured.

Considering that there are roughly 127 million households in the United States, 80 million represents over 60 percent of the total. Since multiple people live in one household, the data leak could impact hundreds of millions of individuals.

“This isn’t the first time a huge database has been breached. However, we believe that it is the first time a breach of this size has included peoples’ names, addresses, and income,” vpnMentor said. “This open database is a goldmine for identity thieves and other attackers.”

Advertisement. Scroll to continue reading.

vpnMentor believes the exposed information can be useful for a wide range of attacks, including targeted ransomware — the attacker knows the victim’s income so they know how much money to ask for — phishing, and other schemes that involve social engineering.

However, some experts believe people should not be worried about this data leak.

“This is not a goldmine for identity thieves, or even of significant note. It does not contains any payment card information, no social security numbers, no passwords, not even any email addresses. It would have very limited value on the dark web,” John Gunn, CMO of OneSpan, told SecurityWeek. “This is the type of information that countless marketers have been tracking and using for decades and is readily available. Yes, it could help hackers, but there are many other avenues to this type of information and no one should be worried about this, beyond concern for the generally poor security practices of the owner and whatever else they may not be protecting.”

Related: E-Commerce Company Gearbest Leaked User Information

Related: Flaws Exposed Tinder, Shopify, Yelp Users to XSS Attacks

Related: Over a Million Dasan Routers Vulnerable to Remote Hacking

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

CISO Conversations

SecurityWeek talks to Billy Spears, CISO at Teradata (a multi-cloud analytics provider), and Lea Kissner, CISO at cloud security firm Lacework.


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to and Exchange Online.


The private equity firm merges the newly acquired ForgeRock with Ping Identity, combining two of the biggest names in enterprise IAM market.