• Uncategorised

Exposed database reveals details on over 80 million US households – CNET

Angela Lang/CNET

The addresses and demographic details of more than 80 million US households are listed on an unsecured database stored on the cloud, independent security researchers have found.

The details listed include names, ages and genders as well as income levels and marital status. The researchers, led by Noam Rotem, have been unable to identify the owner of the database, which is still online and requires no password to access. Some of the information is coded, like gender, marital status and income level. Names, ages and addresses are not coded.

The data doesn't include payment information or Social Security numbers. The 80 million households affected make up well over half of the households in the US, according to Statista.

"I wouldn't like my data to be exposed like this," Rotem said in an interview with CNET. "It should not be there."

Rotem and his team verified the accuracy of some data in the cache but didn't download the data in order to minimize the invasion of privacy of those listed, he said.

It's one more example of a widespread problem with cloud data storage, which has revolutionized how we store valuable information. Many organizations don't have the expertise to secure the data they keep on internet-connected servers, resulting in repeated exposures of sensitive data. Earlier in April, a researcher revealed that patient information from drug addiction treatment centers was exposed on an unsecured database. Another researcher found a giant cache of Facebook user data stored by third-party companies on another database that was publicly visible.

Unlike a hack, you don't need to break into a computer system to access an exposed database. You simply need to find the IP address, which is the address each web page has on the internet. There's no indication the information in this database has been accessed by cybercriminals.

Rotem partnered with VPNmentor, an Israeli company that reviews privacy products called VPNs and receives commissions when readers choose one they like, for the research. In a blog post published Monday, the company called on the public to help them identify who might own the data so that it can be secured.

"The 80 million families listed here deserve privacy," the company said in its blog post.

Rotem found that the data is stored on a cloud service owned by Microsoft. Microsoft declined to comment for this story. Securing the data is up to the organization that created the database, and not Microsoft itself. But the software titan could contact its customer to let it know of the problem, if the customer is identified.

The server hosting the data came online in February, Rotem found, and he discovered it in April using tools he developed to search for and catalog unsecured databases. In January, he also found a security flaw in a widely used airline booking system called Amadeus that could allow an attacker to view and alter airline bookings.

The cache of demographic information includes data about adults aged 40 and older. Many people listed are elderly, which Rotem said could put them at risk from scammers who could use the information to try to defraud them.