Mystery database exposes data on 80 million US households

Here’s a database riddle: what kind of service collects data on 80 million US households, but only people over the age of 40, and includes their name, birthdate, gender, income, homeowner status, map coordinates, whether they’re married (but not how many children they may have), and dwelling type (but not their social security number)?

Give up? So did the security researchers who stumbled on an open database with all that data. That’s why they asked for help in trying to figure out who the database might belong to.

Noam Rotem and Ran Locar, VPNMentor researchers, found the unidentified, open database, along with its 24GB worth of records, hosted on a Microsoft cloud server.

The database contained loads of detailed information that could be used in a number of ways, many of them not good, including being put to use by identity thieves or phishers. Just knowing your name and city are enough to run a comprehensive search, Rotem and Locar said – one that could return company websites, personal blogs or websites, social media profiles like Facebook, Instagram, and Twitter, and whatever local media you may be featured in.

Depending on how much you share on social media, your vacation posts or business travel boasts could also be advertising to burglars when you’re away from home, the researchers said:

Let’s assume you haven’t updated the security settings on your Facebook profile for a while, so your posts are visible to people you’re not friends with. Everything you post is open to the internet – including the vacation photos you uploaded that morning. The geotag shows that you’re thousands of miles away from home.

But while the database held sensitive data galore, it lacked one crucial piece: any indication of what service it might belong to. From the researchers’ writeup:

Unlike previous leaks we’ve discovered, this time, we have no idea who this database belongs to. It’s hosted on a cloud server, which means the IP address associated with it is not necessarily connected to its owner.

As of Tuesday, Microsoft had taken down the database. Following VPNMentor’s publication of its report, Microsoft put out a statement saying that the owner, whoever it is, had also been notified:

We have notified the owner of the database and are taking appropriate steps to help the customer remove the data until it can be properly secured.

Microsoft didn’t reveal who the owner is. That means the riddle’s still open for guesses… And that 80 million US households, many of which contain multiple people, don’t know what service or company might have left their data dangling on the internet for all comers.

Anybody have a hypothesis?