Independent security researchers have discovered a massive cache of personal data of up to 65% of U.S. households that was exposed on an unsecured cloud database.
The data included much more sensitive information than most commonly found in the wake of data breaches, and included gender, marital status, income level, names, ages, addresses and even precise longitude and latitude data.
“The 80 million households affected make up well over half of the households in the US,” CNET’s Laura Hautala writes.
Noam Roten, a security researcher interviewed by CNET who broke the story teamed up with Israeli technology firm VPNmentor said, “I wouldn’t like my data to be exposed like this.”
“It should not be there.” Noam Roten said.
VPNmentor said in a blog post that “the 80 million families listed here deserve privacy.”
They continued: “This isn’t the first time a huge database has been breached. However, we believe that it is the first time a breach of this size has included people’s names, addresses, and income.”
Rotem’s collaboration with the Israeli company was able to determine that the database was being housed on a Microsoft cloud service. Microsoft has issued a statement on the recent revelation, saying that “we have notified the owner of the database and are taking appropriate steps to help the customer remove the data until it can be properly secured.”
According to CNET, “the cache of demographic information included data about adults aged 40 and older. Many people listed are eldery, which Rotem said could put them at risk from scammers tempted to use the information to try and defraud them.”
“This open database is a goldmine for identity thieves and other attackers,” said VPNmentor.
Here’s how, according to the Israeli firm.
“Access to your full name can help hackers guess your email address. Many people use firstname.lastname@example.org as their email address. While this makes sense, it also makes you easy to identify.”
“Phishing scams can take many forms, and ransomware is one of the most dangerous. Commonly, this happens when dangerous links are embedded in emails; opening them infect your computer. The only way to remove ransomware is by paying a fee- and with access to your income information, attackers know how much they can demand of you.”
It gets worse, as the blog post explains, hackers are able to combine your home and work address details and determine the best means to exploit a victim.
“Since your full address is in the database too, the thief not only knows where you live, they also now know that you’re far away from home so the house is probably empty. They can also see your income, so can approximate the value of your home contents… You just become a prime target for attack.”
One of the final scenarios that VPNmentor writes of is the sensitive age data that can “identify the most vulnerable people, filter them by income, and use the information in the database to confidently attack and exploit people by phone, email or in person.”
As researcher Noam Rotem already made mention of, this breach and subsequent exposure of data isn’t a first, but it is almost unprecedented in the detail of the data that has been exposed.
For security reasons, Rotem and VPNmentor accessed only a small sample size of data to verify the database, and has since notified Microsoft - who was hosting the cloud database - in the hope of identifying the owner, which could indeed prove tricky. As VPNmentor writes, “Unlike previous leaks we’ve discovered, this time, we have no idea who this database belongs to. It’s hosted on a cloud server, which means the IP address associated with it is not necessarily connected to its owner.”