The CyberNews research team uncovered an unsecured database owned by an unidentified party, comprising 800 gigabytes of personal user information.The database was left on a publicly accessible server and contained more than 200 million detailed user records.
On March 3, 2020, the entirety of the data present on the database was wiped by an unidentified party.
The database is located in the US and hosted on a Google Cloud server that has been exposed for an unknown period. The database itself is still online and accessible but no longer contains any records. While it’s unclear if any malicious actors have accessed the database before the wipe on March 3 or if the data was erased by a blackhat hacker, anyone who knew where to look could have accessed the data, without needing any kind of authentication, says the research team.
According to the CyberNews team, the unsecured database contained a folder that included more than 200 million incredibly detailed records of what looked like profiles of US users, including:
- Full names and titles of the exposed individuals
- Email addresses
- Phone numbers
- Dates of birth
- Credit ratings
- Home and mortgaged real estate addresses, including their exact locations
- Demographics, including numbers of children and their genders
- Detailed mortgage and tax records
- Detailed data profiles, including information about the individuals’ personal interests, investments, as well as political, charitable, and religious donations
The CyberNews team says that it seems that much of the data on the main folder might have originated from the United States Census Bureau as certain codes used in the database were either specific to the Bureau or used in the Bureau’s classifications.
In addition, the database contained two additional folders that were seemingly unrelated to the mass of personal records the research team found in the main folder. These folders included the following data:
- Emergency call logs of a fire department based in the US.
- A list of some of the 74 bike share stations that used to belong to a bike share program. The current owner of those bike share stations is Lyft.
While the two smaller folders did not contain any personal information, the call logs from the fire department included dates, times, locations, and other emergency call metadata dating as far back as 2010, notes the report. "The presence of the mapped bike share station locations and the call logs of the fire department may have indicated that the database might have been either a collection of stolen data or was used by several parties simultaneously, but we were unable to positively confirm this," adds the research team.
"Due to how the data in the main folder was structured, however, our analysts suspect that the database belonged to a data marketing firm or a credit company," claims CyberNews. For example, CyberNews notes that categories and sections were marked as codes in a fashion similar to dictionaries used by data marketers, there were no social security numbers and all the data profiles we looked at included credit scores.
For the full report, visit CyberNews.com