Mystery Database With 200 Million American Citizens' Private Records Exposed Online
Major data breaches
have unfortunately become rather common occurrences
(they seem to happen in waves), and even if you are practice common sense computing habits, you can still fall victim to these types of things. Serving as a sobering reminder of this reality, security researchers say they have discovered an unprotected database hosting a massive 800 gigabytes of personal data.
The database holds records for over 200 million Americans. In terms of scale, that's more people than were affected by the Equifax breach
, which ultimately resulted in the Federal Trade Commission issuing a weaksauce fine
. In this case, it is not clear if the exposed records have been viewed by malicious actors or spilled into the dark web.
According to CyberNews and its research team, the records contained full names and titles of individuals, email addresses, phone numbers, dates of birth, credit card ratings, home and mortgaged real estate addresses, demographics (including numbers of children and genders), detailed mortgage records and tax records, and detailed data profiles about people's personal interests.
It is believed that the bulk of the data may have have originated with the United States Census Bureau
. In addition, the exposed data contained two more folders containing emergency call logs of a fire department based in the US, and a list of some of the 74 bike share stations that used to belong to a bike share program (now owned by Lyft
"Due to how the data in the main folder was structured, however, our analysts suspect that the database belonged to a data marketing firm or a credit company," the researchers noted.
Fortunately, the data did not contain social security numbers. Nevertheless, the amount of personal details exposed would be enough for malicious actors to pull off nefarious deeds, such as identity theft, impersonation scams, and so forth.
"Another day, another open database," cybersecurity researcher Sean Wright told Forbes. "What frustrates me the most about these databases is that we used to purposely bury them deep within an organization's network. So that if there was any misconfiguration, the risk would be minimized. Fast forward to today, and we put databases on a network directly facing the internet."
The good news is, the database was completely wiped on March 3, 2020. If you want to check if your details might have been contained in the database, CyberNews has posted a tool
to check if your email address was exposed.