Known hacktivists Noam Rotem and Ran Locar discovered an unprotected database impacting up to 65% of US households.
Hosted by a Microsoft cloud server, the 24 GB database includes the number of people living in each household with their full names, their marital status, income bracket, age, and more.
Information Included in the Database
Below is a screenshot of a typical entry from this database:
The database seems to itemize households rather than individuals. It includes:
- Full addresses, including street addresses, cities, counties, states, and zip codes
- Exact longitude and latitude
- Full names, including first, last, and middle initial
- Date of birth
Some information is included but coded (given what we assume to be an internally-assigned numerical value). This includes:
- Marital status
- Homeowner status
- Dwelling type
The only real hint that this database belongs to some kind of service is that “member_code” and “score” each appear in every entry.
The Danger of Exposing this Information
This isn’t the first time a huge database has been breached. However, we believe that it is the first time a breach of this size has included peoples’ names, addresses, and income.
This open database is a goldmine for identity thieves and other attackers. Here’s how:
Access to your full name can help hackers guess your email address. Many people use firstname.lastname@example.org as their email address. While this makes sense, it also makes you easy to identify.
Phishing scams can take many forms, and ransomware is one of the most dangerous. Commonly, this happens when dangerous links are embedded in emails; opening them infects your computer. The only way to remove ransomware is by paying a fee – and with access to your income information, attackers know how much they can demand of you.
Real World Dangers
Your name and city are enough to run a comprehensive internet search. Google will bring up links to anything with your name, including: company websites, personal blogs or websites, social media profiles like Facebook, Instagram, and Twitter, and local media you may be featured in.
Let’s assume you haven’t updated the security settings on your Facebook profile for a while, so your posts are visible to people you’re not friends with. Everything you post is open to the internet – including the vacation photos you uploaded that morning. The geotag shows that you’re thousands of miles away from home.
Since your full address is in the database too, the thief not only knows where you live, they also now know that you’re far away from home so the house is probably empty. They can also see your income, so can approximate the value of your home contents. You just became a prime target for attack.
It gets worse: your age is in the database too. Attackers – both on and offline – can identify the most vulnerable people, filter them by income, and use the information in the database to confidently attack and exploit people by phone, email, or in person.
This scenario is just the tip of the iceberg. Addresses can easily lead to phone numbers, making people easy targets for phishing scams. Dates of birth and postal codes are common answers to security questions. And longitude and latitude mean your home can be pinpointed and watched.
Of course, there are ways to stay safe online and in the real world. For example, secure your home with alarms, and your internet connection with a top-rated VPN. This will help keep you safe, wherever you are.
How We Discovered the Leak
The research team is currently undertaking a huge web mapping project. They use port scanning to examine known IP blocks. This reveals open holes in web systems, which they then examine for weaknesses and data leaks.
Usually, researchers suspect where the leak is coming from. They can then examine the database to confirm its identity.
We then reach out to the database’s owner to report the leak, and where possible, alert the people affected. This helps build a safer and more protected internet.
Although we investigated the database online, we didn’t download it. Our researchers felt that downloading it would be an ethical breach, as they would then illegally own personally identifiable data sets without peoples’ consent.
Why This Data Breach is Different
This time, it’s different. The database that the team discovered includes identifying information for more than 80 million households across the United States. As most households include more than one resident, the database could directly impact hundreds of millions of individuals.
vpnMentor is calling on the public to help identify the database and close the leak.
Unlike previous leaks we’ve discovered, this time, we have no idea who this database belongs to. It’s hosted on a cloud server, which means the IP address associated with it is not necessarily connected to its owner.
The data includes uniform entries for more than 80 million households, making it almost impossible to narrow down. The only clue we found lay in people’s ages: despite searching thousands of entries, we could not find anyone listed under the age of 40.
Interestingly, a value for people’s income is given (however, we don’t know if it’s a code for an internal ranking system, a tax bracket, or an actual amount).
This made us suspect that the database is owned by an insurance, healthcare, or mortgage company. However, information one may expect to find in a database owned by brokers or banks is missing. For example, there are no policy or account numbers, social security numbers, or payment types.
Help Us Identify this Database
Update 30/04/2019: This database is no longer open to the public. Following the publication of our report, Microsoft took its server offline. In a statement, they said, “We have notified the owner of the database and are taking appropriate steps to help the customer remove the data until it can be properly secured”. Microsoft has not revealed who owns the database.
We want to contact this database’s owners and let them know that their data logs are exposing millions of households.
Help us solve the riddle:
What service is used by 80 million homes across the US – but only the US – and only by people over 40? What service would collect your homeowner status and dwelling type but not your social security number? And what service records that you’re married but not how many children you have?