Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Unprotected Database Stored Information on 80 Million U.S. Households

Researchers have stumbled upon an unprotected database storing information on the individuals living in roughly 80 million households in the United States.

Researchers have stumbled upon an unprotected database storing information on the individuals living in roughly 80 million households in the United States.

Noam Rotem and Ran Locar of vpnMentor came across the database as part of what the company calls a “huge web mapping project.” The database was 24 gigabytes in size and it was hosted on Microsoft cloud servers.

The exposed information includes the number of individuals living in a household, address, geographical location, full name, marital status, age, date of birth, gender, income bracket, homeowner status, and dwelling type. Interestingly, the database only appeared to store data on individuals aged over 40.

However, the researchers could not determine who the data belongs to and they have asked for help in identifying the owner. Fields named “member_code” and “score” suggest that it’s owned by a service provider.

“Interestingly, a value for people’s income is given (however, we don’t know if it’s a code for an internal ranking system, a tax bracket, or an actual amount),” vpnMentor said. “This made us suspect that the database is owned by an insurance, healthcare, or mortgage company. However, information one may expect to find in a database owned by brokers or banks is missing. For example, there are no policy or account numbers, social security numbers, or payment types.”

Microsoft told CNET that it notified the owner of the database and helped it remove the data until it can be secured.

Considering that there are roughly 127 million households in the United States, 80 million represents over 60 percent of the total. Since multiple people live in one household, the data leak could impact hundreds of millions of individuals.

“This isn’t the first time a huge database has been breached. However, we believe that it is the first time a breach of this size has included peoples’ names, addresses, and income,” vpnMentor said. “This open database is a goldmine for identity thieves and other attackers.”

vpnMentor believes the exposed information can be useful for a wide range of attacks, including targeted ransomware — the attacker knows the victim’s income so they know how much money to ask for — phishing, and other schemes that involve social engineering.

However, some experts believe people should not be worried about this data leak.

“This is not a goldmine for identity thieves, or even of significant note. It does not contains any payment card information, no social security numbers, no passwords, not even any email addresses. It would have very limited value on the dark web,” John Gunn, CMO of OneSpan, told SecurityWeek. “This is the type of information that countless marketers have been tracking and using for decades and is readily available. Yes, it could help hackers, but there are many other avenues to this type of information and no one should be worried about this, beyond concern for the generally poor security practices of the owner and whatever else they may not be protecting.”

Related: E-Commerce Company Gearbest Leaked User Information

Related: Branch.io Flaws Exposed Tinder, Shopify, Yelp Users to XSS Attacks

Related: Over a Million Dasan Routers Vulnerable to Remote Hacking

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Cloud Security

Orca Security published details on four server-side request forgery (SSRF) vulnerabilities impacting different Azure services.

Identity & Access

Strata Identity has raised $26 million in a Series B funding round led by Telstra Ventures, with additional investment from Forgepoint Capital, Innovating Capital,...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...