Exactis, a Florida-based marketing firm, recently left a server open for public access that contained detailed information on 230 million people and 110 million U.S. business contacts, totaling up to 2TB of raw data.
The vast database owned by Exactis contained information pertaining to almost the entire adult population of the United States and contained minute details of each individual such as full names, home addresses, email addresses, gender, religion, whether an individual is a smoker, whether he/she owns any pets, whether he/she has any children, or whether he/she has any particular interests such as scuba diving or plus-sized apparel.
Database could be traced easily by any hacker
The giant database, which was configured for public access, was discovered by researcher Vinny Troia, the founder of Night Lions Security, a New York-based security firm. Troia stumbled upon the publicly-configured database owned by Exactis last week while carrying out a search on Shodan which is used extensively by hackers and researchers alike to scan for public-facing Internet-connected devices.
Considering how easily Troia discovered the database and was able to browse through its exhaustive contents, there is a major possibility that it may have been accessed by malicious actors using the same route to search for public-facing servers that contain detailed records of citizens.
Speaking to Wired, Troia also marveled about how a relatively-less-known marketing firm like Exactis owned and handled minute personal details of millions of U.S. citizens and businesses. “It seems like this is a database with pretty much every US citizen in it. I don’t know where the data is coming from, but it’s one of the most comprehensive collections I’ve ever seen,” he said.
According to Wired, Troia discovered Exactis’ database while searching for ElasticSearch, a database “that’s designed to be easily queried over the internet using just the command line”. While searching for the latter, he found 7,000 results and after combing through them, discovered the 2TB database containing individual records of hundreds of millions of citizens.
Even though the said database did not contain social security numbers or financial information of citizens, the wealth of information it stored could allow any professional hacker to match identities with details exposed through previous leaks and carry out social engineering attacks or large-scale identity fraud.
Marc Rotenberg, executive director of the nonprofit Electronic Privacy Information Center, told Wired that the database contained a wealth of non-public information that data brokers aggregated from magazine subscriptions, credit card transaction data sold by banks, and credit reports. As such, it would prove extremely useful to a hacker looking to carry out impersonation or profiling.
The said database has now been reconfigured by Exactis so that it cannot be accessed publicly but it is not known how long it was configured for public access before Troia discovered it. It is also not known if the database was accessed or copied by malicious hackers before its presence was detected.
Poorly-configured servers destroying people’s privacy
This isn’t the first time that companies have been found following lax security policies while handling databases containing a wealth of non-public information. In April, an unsecured cloud storage repository that contained sensitive information belonging to personal and business data search service LocalBlox was left exposed to the public not only because of a lack of password protection but also because it was publicly downloadable and configured for access via the Internet.
According to security researchers at UpGuard who discovered the publicly-exposed repository, it contained “48 million records of detailed personal information on tens of millions of individuals, gathered and scraped from popular social media platforms”.
In May, UK-based security researcher Robert Wiggins found that TeenSafe, an iOS and Android app that allows parents to view their children’s browsing history, text messages, location, and call records, stored sensitive details of both parents and children in two unsecured cloud servers that were not protected by passwords and could be accessed by anyone.
According to a report from ZDNet, the publicly-accessible cloud servers stored email addresses of both parents and children, children’s device names and their unique identifiers. At the same time, passwords for children’s Apple ID were stored in plain text and could be used by malicious entities to hack into such devices and to access personal data.