Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Unprotected Database Stored Information on 80 Million U.S. Households

Researchers have stumbled upon an unprotected database storing information on the individuals living in roughly 80 million households in the United States.

Researchers have stumbled upon an unprotected database storing information on the individuals living in roughly 80 million households in the United States.

Noam Rotem and Ran Locar of vpnMentor came across the database as part of what the company calls a “huge web mapping project.” The database was 24 gigabytes in size and it was hosted on Microsoft cloud servers.

The exposed information includes the number of individuals living in a household, address, geographical location, full name, marital status, age, date of birth, gender, income bracket, homeowner status, and dwelling type. Interestingly, the database only appeared to store data on individuals aged over 40.

However, the researchers could not determine who the data belongs to and they have asked for help in identifying the owner. Fields named “member_code” and “score” suggest that it’s owned by a service provider.

“Interestingly, a value for people’s income is given (however, we don’t know if it’s a code for an internal ranking system, a tax bracket, or an actual amount),” vpnMentor said. “This made us suspect that the database is owned by an insurance, healthcare, or mortgage company. However, information one may expect to find in a database owned by brokers or banks is missing. For example, there are no policy or account numbers, social security numbers, or payment types.”

Microsoft told CNET that it notified the owner of the database and helped it remove the data until it can be secured.

Considering that there are roughly 127 million households in the United States, 80 million represents over 60 percent of the total. Since multiple people live in one household, the data leak could impact hundreds of millions of individuals.

“This isn’t the first time a huge database has been breached. However, we believe that it is the first time a breach of this size has included peoples’ names, addresses, and income,” vpnMentor said. “This open database is a goldmine for identity thieves and other attackers.”

Advertisement. Scroll to continue reading.

vpnMentor believes the exposed information can be useful for a wide range of attacks, including targeted ransomware — the attacker knows the victim’s income so they know how much money to ask for — phishing, and other schemes that involve social engineering.

However, some experts believe people should not be worried about this data leak.

“This is not a goldmine for identity thieves, or even of significant note. It does not contains any payment card information, no social security numbers, no passwords, not even any email addresses. It would have very limited value on the dark web,” John Gunn, CMO of OneSpan, told SecurityWeek. “This is the type of information that countless marketers have been tracking and using for decades and is readily available. Yes, it could help hackers, but there are many other avenues to this type of information and no one should be worried about this, beyond concern for the generally poor security practices of the owner and whatever else they may not be protecting.”

Related: E-Commerce Company Gearbest Leaked User Information

Related: Branch.io Flaws Exposed Tinder, Shopify, Yelp Users to XSS Attacks

Related: Over a Million Dasan Routers Vulnerable to Remote Hacking

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Gigamon has promoted Tony Jarjoura to CFO and Ram Bhide has been hired as Senior VP of engineering.

Cloud security firm Mitiga has appointed Charlie Thomas as Chief Executive Officer.

Cynet announced the appointment of Jason Magee as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.