Here’s a database riddle: what kind of service collects data on 80 million US households, but only people over the age of 40, and includes their name, birthdate, gender, income, homeowner status, map coordinates, whether they’re married (but not how many children they may have), and dwelling type (but not their social security number)?
Give up? So did the security researchers who stumbled on an open database with all that data. That’s why they asked for help in trying to figure out who the database might belong to.
Noam Rotem and Ran Locar, VPNMentor researchers, found the unidentified, open database, along with its 24GB worth of records, hosted on a Microsoft cloud server.
The database contained loads of detailed information that could be used in a number of ways, many of them not good, including being put to use by identity thieves or phishers. Just knowing your name and city are enough to run a comprehensive search, Rotem and Locar said – one that could return company websites, personal blogs or websites, social media profiles like Facebook, Instagram, and Twitter, and whatever local media you may be featured in.
Depending on how much you share on social media, your vacation posts or business travel boasts could also be advertising to burglars when you’re away from home, the researchers said:
Let’s assume you haven’t updated the security settings on your Facebook profile for a while, so your posts are visible to people you’re not friends with. Everything you post is open to the internet – including the vacation photos you uploaded that morning. The geotag shows that you’re thousands of miles away from home.
But while the database held sensitive data galore, it lacked one crucial piece: any indication of what service it might belong to. From the researchers’ writeup:
Unlike previous leaks we’ve discovered, this time, we have no idea who this database belongs to. It’s hosted on a cloud server, which means the IP address associated with it is not necessarily connected to its owner.
As of Tuesday, Microsoft had taken down the database. Following VPNMentor’s publication of its report, Microsoft put out a statement saying that the owner, whoever it is, had also been notified:
We have notified the owner of the database and are taking appropriate steps to help the customer remove the data until it can be properly secured.
Microsoft didn’t reveal who the owner is. That means the riddle’s still open for guesses… And that 80 million US households, many of which contain multiple people, don’t know what service or company might have left their data dangling on the internet for all comers.
Anybody have a hypothesis?
12 comments on “Mystery database exposes data on 80 million US households”
It was my grandmother weekends powerpoint slide mailing list..
I knew she was getting around but 80 mil is quite a feat even for her. I was sure to put the cap on 50 mil.
Investment or insurance company. The demographics match the audience they target.
Or morticians’ marketing association.
That’s one of their guesses, but the data contained no policy or account numbers, social security numbers, or payment types.
Maybe a target list for a place that sells reverse mortgages?
That was my first thought
How about the US Census?
All that data but no SS#, I’ll bet a snickers bar the data came from FB. Filtered for marketing to a specific group like Bob and Anon said. Maybe bought from Cambridge Analytica or their new name Emerdata (both related to SCL Group)- since that is exactly what they do.
Simply scammers compiling lists of easy targets with enough equity, credit and senility to make the job easy. I have found the older generation has a real problem with being able to utter the simple phrase “F U”. They also can’t resist answering the phone when they can figure out how, that is. (JitterBug excluded) I know someone who donates to all the religious bullshit and then says, “Why do they waste money sending me junk mail?” It’s so hard not to say because you’re a proven time tested sucker that’s why.
“over 40” is the older generation and senile?
Sounds like an insurance or “insuretech” company, based on the data sets.