Security researcher Bob Diachenko along with a team from Comparitech recently discovered a publicly-available database that contained nearly 188 million personal data records ranging from people’s names, email addresses, dates of birth, phone numbers, religion, and political affiliations.
A large number of personal data records found in the unprotected MongoDB database contained detailed information sourced from Pipl.com and LexisNexis. Diachenko discovered the database shortly after it was indexed by search engines last month and traced it back to “a Github repo for a people search API called thedatarepo”.
Upon further analysis, Diachenko and the team from Comparitech determined that information stored in the MongoDB database had been scraped or purchased from Pipl.com and LexisNexis, thereby confirming that the presence of the data was not due to Pipl or LexusNexus being actually breached by hackers.
The 188 million records, which could until recently be viewed by anyone with an internet connection, included first and last names, aliases and past names, email addresses, physical addresses, dates of birth, court and bankruptcy notes, phone numbers, social media profile links, political affiliations, race, religion, skills, gender, past and present employment details, as well as automobiles and property owned by individuals.
Around 800,000 personal data records scraped or purchased from LexisNexis and stored in the unprotected database contained information such as “names, past names, addresses, gender, parental status, a short biography, family members, redacted emails, and info about the person’s neighbors including full names, dates of birth, reputation scores, and addresses”.
Diachenko added that it will be difficult for people to check for their personal data records in the exposed database and get them removed as data brokers like Pipl obtain information from a variety of public and proprietary sources and don’t claim ownership over such data.
As such, in order to get their personal information removed from the web, people will have to go to the original source to do so which is a difficult and exhausting activity.
Exposed personal data records could help hackers in carrying out identity fraud
“Data in the wrong hands can have a huge impact on consumers. The type of data exposed in this breach can be combined with other user data from other breaches and social media, to build a complete profile. In the hands of fraudsters and criminal organisations, these valuable identity sets are usually sold to other cybercriminals and used for myriad criminal activities, both on the Internet and in the physical world,” said Lisa Baergen, director at NuData Security.
“Multi-layered technology that thwarts fraud exists right now. Passive biometrics technology is making stolen data valueless by verifying users based on their inherent behaviour instead of relying on their data. This makes it impossible for bad actors to access illegitimate accounts, as they can’t replicate the customer’s inherent behaviour.
“Analysing customer behaviour with passive biometrics is completely invisible to users. It has the added benefit of providing valid users with a great experience without the extra friction that often comes with other customer identification techniques. When fraudsters try to use stolen customer data or login credentials, they will find the data is useless.”
In May, Diachenko has discovered another unprotected MongoDB database hosted on Amazon AWS infrastructure that contained over 275 million records with personal identifiable information (PII) on Indian citizens but was not secured from external access.
The unprotected MongoDB database contained 275,265,298 records with personal identifiable information (PII) on Indian citizens that included names, email addresses, gender, mobile phone numbers, dates of birth, current salary, employment history, education levels, and professional skills of millions of Indian citizens.
In November last year, he also discovered an unprotected MongoDB cloud database hosted by data aggregator Adapt that contained over 9.3 million data records that included personal data as well as job descriptions of millions of individuals.
The database contained as many as 9,376,173 personal data records that included first and last names, phone numbers, name of the companies where the individuals were employed, job titles, job descriptions, list of company domains, industry, company revenue, email confidence scores, total contacts available in the company, and emails of every contact in the company.