Unidentified Database Exposes Records of 200 Million Americans

March 23, 2020

The CyberNews research team uncovered an unsecured database owned by an unidentified party, comprising 800 gigabytes of personal user information.The database was left on a publicly accessible server and contained more than 200 million detailed user records.

On March 3, 2020, the entirety of the data present on the database was wiped by an unidentified party.

The database is located in the US and hosted on a Google Cloud server that has been exposed for an unknown period. The database itself is still online and accessible but no longer contains any records. While it’s unclear if any malicious actors have accessed the database before the wipe on March 3 or if the data was erased by a blackhat hacker, anyone who knew where to look could have accessed the data, without needing any kind of authentication, says the research team.

According to the CyberNews team, the unsecured database contained a folder that included more than 200 million incredibly detailed records of what looked like profiles of US users, including:

Full names and titles of the exposed individuals
Email addresses
Phone numbers
Dates of birth
Credit ratings
Home and mortgaged real estate addresses, including their exact locations
Demographics, including numbers of children and their genders
Detailed mortgage and tax records
Detailed data profiles, including information about the individuals’ personal interests, investments, as well as political, charitable, and religious donations

The CyberNews team says that it seems that much of the data on the main folder might have originated from the United States Census Bureau as certain codes used in the database were either specific to the Bureau or used in the Bureau’s classifications.

In addition, the database contained two additional folders that were seemingly unrelated to the mass of personal records the research team found in the main folder. These folders included the following data:

Emergency call logs of a fire department based in the US.
A list of some of the 74 bike share stations that used to belong to a bike share program. The current owner of those bike share stations is Lyft.

While the two smaller folders did not contain any personal information, the call logs from the fire department included dates, times, locations, and other emergency call metadata dating as far back as 2010, notes the report. "The presence of the mapped bike share station locations and the call logs of the fire department may have indicated that the database might have been either a collection of stolen data or was used by several parties simultaneously, but we were unable to positively confirm this," adds the research team.

"Due to how the data in the main folder was structured, however, our analysts suspect that the database belonged to a data marketing firm or a credit company," claims CyberNews. For example, CyberNews notes that categories and sections were marked as codes in a fashion similar to dictionaries used by data marketers, there were no social security numbers and all the data profiles we looked at included credit scores.

For the full report, visit CyberNews.com

How can you advance your career in the security industry with the skills and competencies necessary to benefit your organization? What will the security executive and the security function of the future look like? Join us as we hear from veterans in the security industry about their experiences, their lessons learned, and best practices for advancing their careers.