Details on 80 million US households exposed by unprotected cloud database

Security researchers have found yet another unprotected database that has left details on 80 million US households exposed for anyone on the internet to access. 

The 24GB unprotected database is hosted on a "Microsoft cloud server", and contains sensitive information that could be valuable for fraudsters. 

This includes addresses, the number of people living at a residence, full names, marital status, income bracket, age, and birthdate.

SEE: 10 tips for new cybersecurity pros (free PDF)

The database was found by Noam Rotem and Ran Locar, security researchers at vpnMentor, an Israel-based site that reviews VPN products. 

The researchers haven't been able to identify the owner of the database and have appealed to the public to help solve the mystery. However, they suspect it is a service, such as an insurance firm, a mortgage firm or healthcare service, due to the presence of a 'member code' and a 'score' for each entry. 

The database did not include account numbers, social security numbers or payment types and only includes details on people aged 40 years and above.  

The researchers found the database as part of a worldwide scan of the internet for unsecured databases. In March, they turned up a MongoDB database owned by a caller ID service called Dalil, which unbeknownst to five million users had been leaking their phone numbers and in some cases live location. 

Other researchers have also found several other large unprotected databases that were exposing details of hundreds of millions of their users. The online databases are often found using the Shodan search engine.       

vpnMentor estimates its latest discovery affects about 65 percent of US households. Although the researchers accessed the database over the internet, they opted not to download it as it would violate users' privacy. 

ZDNet sister site CNET reports that Microsoft knows the owner of the database and is helping the owner secure it. 

"We have notified the owner of the database and are taking appropriate steps to help the customer remove the data until it can be properly secured," a Microsoft spokesperson told CNET. 

Fortunately, this leaky database did not include account credentials and passwords. However, vpnMentor notes that the information is still sufficient for scammers and criminals to target people based on their location and wealth.

More on database security breaches

• Unsecured MongoDB databases expose Kremlin's backdoor into Russian businesses
• Saudi caller ID app leaves data of 5+ million users in unsecured MongoDB server
• Chinese company leaves Muslim-tracking facial recognition database exposed online
• Citrix discloses security breach of internal network
• Over 100,000 GitHub repos have leaked API or cryptographic keys
• Microsoft's vulnerability database hacked in 2013, public kept in dark TechRepublic
• South Carolina capital website had a security flaw that exposed passwords CNET
• Cloud database removed after exposing details on 80 million US households CNET