06/05/2019

Unknown Data Breach Exposes 80 Million (65%) US Households

Hosted by a Microsoft cloud server, the 24 GB database includes the number of people living in each household with their full names, their marital status, income bracket, age, and more. The database seems to itemize households rather than individuals. It includes:
  • Full addresses, including street addresses, cities, counties, states, and zip codes
  • Exact longitude and latitude
  • Full names, including first, last, and middle initial
  • Age
  • Date of birth
Some information is included but coded (given what we assume to be an internally-assigned numerical value). This includes:
  • Title
  • Gender
  • Marital status
  • Income
  • Homeowner status
  • Dwelling type
The only real hint that this database belongs to some kind of service is that “member_code” and “score” each appear in every entry. This isn’t the first time a huge database has been breached. However, we believe that it is the first time a breach of this size has included peoples’ names, addresses, and income. This open database is a goldmine for identity thieves and other attackers.

The research team is currently undertaking a huge web mapping project. They use port scanning to examine known IP blocks. This reveals open holes in web systems, which they then examine for weaknesses and data leaks. Usually, researchers suspect where the leak is coming from. They can then examine the database to confirm its identity. We then reach out to the database’s owner to report the leak, and where possible, alert the people affected. This helps build a safer and more protected internet. Although we investigated the database online, we didn’t download it. Our researchers felt that downloading it would be an ethical breach, as they would then illegally own personally identifiable data sets without peoples’ consent.

This time, it’s different. The database that the team discovered includes identifying information for more than 80 million households across the United States. As most households include more than one resident, the database could directly impact hundreds of millions of individuals. Unlike previous leaks we’ve discovered, this time, we have no idea who this database belongs to. It’s hosted on a cloud server, which means the IP address associated with it is not necessarily connected to its owner. The data includes uniform entries for more than 80 million households, making it almost impossible to narrow down. The only clue we found lay in people’s ages: despite searching thousands of entries, we could not find anyone listed under the age of 40.

Interestingly, a value for people’s income is given (however, we don’t know if it’s a code for an internal ranking system, a tax bracket, or an actual amount). This made us suspect that the database is owned by an insurance, healthcare, or mortgage company. However, information one may expect to find in a database owned by brokers or banks is missing. For example, there are no policy or account numbers, social security numbers, or payment types. We want to contact this database’s owners and let them know that their data logs are exposing millions of households.

Help us solve the riddle:
  • What service is used by 80 million homes across the US –but only the US– and only by people over 40? 
  • What service would collect your homeowner status and dwelling type but not your social security number? 
  • What service records that you’re married but not how many children you have? 
If you can help us identify this database or know who owns it, please contact us at info@vpnmentor.com.

https://www.vpnmentor.com/blog/report-millions-homes-exposed/

No comments :

Post a Comment