An exposed online database consisting of some 200 million records included a wide range of sensitive personal and demographic data about residents and their properties. Homeowners were identified as well as info about their credit ratings, net worth, and income, among other details. At this time we have not been able to determine who owns the database, which was hosted on an exposed Google Cloud server.
The Comparitech security research team led by Bob Diachenko discovered the database and immediately took steps to identify the owner. Upon failing to discover the owner’s identity, Diachenko alerted Google. More than a month later with no response, the exposed server was finally taken offline
Timeline of the exposure
From the time search engines first indexed the database to when it was removed, that database was exposed for more than a month.
- January 26, 2020 – The database was first indexed by search engine BinaryEdge
- January 27, 2020 – Diachenko found the exposed database and began our investigation.
- March 4, 2020 – The server was taken offline
During the time in which we had access to the database, it was being updated with new data, suggesting that the information contained is fairly recent.
We do not know if any other unauthorized parties accessed that data while it was exposed. We were unable to contact those responsible for the data for the month-plus duration of the exposure.
What data was leaked?
The largest portion of the data is a mix of personal, demographic, and property information. In total, it is comprised of 201,162,598 records.
Personally identifying details and demographic information included:
- Email address
- Credit rating
- Investment preferences
- Net worth
These records stated whether the resident smokes, golfs, travels, donates to charity, has pets, is a veteran, has a credit card, or rides horses, among other info.
Each record also contained detailed property info, including:
- Market value
- Property type
- Mortgage amount, rate, type, and lender
- Refinance amount, rate, type, and lender
- Previous owners
- Year built
- Number of beds and bathrooms
- Tax assessment info
All of this data was contained in the “mother” index of the database. We also found a smaller index with bikesharing service data and another about local fire department service calls.
Dangers of exposed data
The detailed personal, demographic, and property information contained in this dataset is a gold mine for spammers, scammers, and cybercriminals who run phishing campaigns. The data allows criminals not only to target specific people, but craft a more convincing message.
One can imagine many uses for the data. It’s valuable to those in the real estate business as well as people who run political campaigns.
No matter who owns the data and who gets their hands on it, it likely means more junk mail, robocalls, and spam email for people affected.
How and why we covered this exposure
Comparitech’s security research team scan for vulnerable data exposed on the web. Upon discovering unsecured personal data, we immediately notify the responsible parties so that access can be secured.
Following responsible disclosure, we investigate the data to find out who is affected and what personal information is exposed. Once the data has been secured, we publish a report like this one to raise awareness and mitigate potential harm to end users.
Our goal is to head off the negative consequences of exposed personal data, such as identity theft and phishing.
Help us identify the owners of this database
Although the database is no longer online we were unable to identify the owner. We notified Google as the exposed data was hosted on a Google Cloud server so we don’t know if the owners are aware of their oversight.
We want to encourage the owner to review its practices to ensure they don’t expose data again in the future.
Which service could have 200m US customers and detailed demographic data of this kind? If you can help us identify this database or know who owns it please contact us.
Comparitech and Diachenko have collaborated on several data incident reports affecting millions of people, including:
- US non-profit for international study exposes private documents of thousands of students
- 250 million Microsoft customer service and support records exposed
- 267 million Facebook user IDs and phone numbers exposed online
- 2.7 billion exposed email addresses from mostly Chinese domains, 1 million of which included passwords
- Detailed personal records of 188 million people found exposed on the web
- 7 million student records exposed by K12.com
- 5 million personal records belonging to MedicareSupplement.com exposed to public
- 2.8 million CenturyLink customer records exposed
- 700k Choice Hotels customer records leaked