Security analysts at CyberNews have discovered an unprotected database online which contains over 800GB of personal information including detailed records on over 200m US users.
The records stored in the unsecured database contained the full names and titles of the exposed individuals, email addresses, phone numbers, dates of birth, credit ratings, home addresses, demographics including numbers of children and their genders, detailed mortgage and tax records and other personally identifiable information.
Based on its analysis of the database, CyberNews believes that much of the data it contained may have originated from the US Census Bureau. This is because certain codes used in the database were either specific to the bureau or are used in the bureau’s classifications.
The database in question is located in the US and was hosted on a Google Cloud server which was exposed for an unknown period. At the beginning of March, all of the records contained in the database were wiped by an unidentified party. However, the empty database is still online and is accessible without any type of authentication.
CyberNews also discovered two other folders which were unrelated to the personal records found in the main folder on the database. These folders contained emergency call logs from a fire department in the US as well as a list of 74 bike share stations that is now owned by Lyft.
While the two smaller folders did not contain any personal information, the call logs from the fire department included dates, times, locations and other emergency call metadata from as far back as 2010. These two seemingly unrelated data sets may indicate that the database was a collection of stolen data or was used by several parties simultaneously.
However, the security analysts suspect that the database belonged to a data marketing firm or a credit card company based on how the data in the main folder was structured.
Although the database has since been wiped, it contents could have been downloaded by a malicious actor and CyberNews explained how those whose data has been exposed could be affected, saying:
“If the data was stolen by a malicious actor, the consequences for more than 200 million US users may be immense. Merely selling these records on darknet marketplaces at the below-average asking price of $1 per record would net the seller about $200 million. If utilized by cybercriminals to its full destructive potential, however, this data leak can result in untold billions in damages for defrauded users.”
If you’re worried that your data may have been exposed, you can check here to see if it was.
- We’ve also highlighted the best VPN services