Details on 80 million US households exposed by unprotected cloud database

Researchers find another unprotected database containing personal data lying wide open on the internet.
Written by Liam Tung, Contributing Writer

Security researchers have found yet another unprotected database that has left details on 80 million US households exposed for anyone on the internet to access. 

The 24GB unprotected database is hosted on a "Microsoft cloud server", and contains sensitive information that could be valuable for fraudsters. 

This includes addresses, the number of people living at a residence, full names, marital status, income bracket, age, and birthdate.

SEE: 10 tips for new cybersecurity pros (free PDF)

The database was found by Noam Rotem and Ran Locar, security researchers at vpnMentor, an Israel-based site that reviews VPN products. 

The researchers haven't been able to identify the owner of the database and have appealed to the public to help solve the mystery. However, they suspect it is a service, such as an insurance firm, a mortgage firm or healthcare service, due to the presence of a 'member code' and a 'score' for each entry. 

The database did not include account numbers, social security numbers or payment types and only includes details on people aged 40 years and above.  

The researchers found the database as part of a worldwide scan of the internet for unsecured databases. In March, they turned up a MongoDB database owned by a caller ID service called Dalil, which unbeknownst to five million users had been leaking their phone numbers and in some cases live location

Other researchers have also found several other large unprotected databases that were exposing details of hundreds of millions of their users. The online databases are often found using the Shodan search engine.       

vpnMentor estimates its latest discovery affects about 65 percent of US households. Although the researchers accessed the database over the internet, they opted not to download it as it would violate users' privacy. 

ZDNet sister site CNET reports that Microsoft knows the owner of the database and is helping the owner secure it. 

"We have notified the owner of the database and are taking appropriate steps to help the customer remove the data until it can be properly secured," a Microsoft spokesperson told CNET. 

Fortunately, this leaky database did not include account credentials and passwords. However, vpnMentor notes that the information is still sufficient for scammers and criminals to target people based on their location and wealth.

More on database security breaches

Editorial standards