FYI: Someone left 24GB of personal info on 80m US households exposed to the public internet
Security bods ask for help figuring out who left Microsoft-hosted barn door open
A pair of security researchers working on a web mapping project for security biz vpnMentor have identified what they claim is a database that exposes 80 million US households.
In a blog post on Monday, vpnMentor said the database resides on a Microsoft cloud server – presumably Azure – and consists of 24GB of personal information.
Exposed databases, a common problem in recent years, are not the same as hacked databases – they're simply unprotected and accessible to those who know where to look. While it's possible miscreants have been able to copy all the data left in plain sight, there's presently no evidence of any data theft.
In a statement emailed to The Register, Tim Erlin, VP of product management and strategy at security biz Tripwire, lamented the lack of knowledge among those using cloud services.
"It's clear, after so many incidents, that organizations do not have control over access to their data stored in the cloud," said Erlin. "It's not for a lack of tools, but a lack of understanding and implementation of the available tools. If you are storing data in the cloud, you can and should be able to audit the access permissions for that data on a continuous basis."
vpnMentor is asking for help identifying the owner of the database because that's not evident from the exposed details. "The data includes uniform entries for more than 80 million households, making it almost impossible to narrow down," the firm said. "The only clue we found lay in people’s ages: despite searching thousands of entries, we could not find anyone listed under the age of 40."
The company credits security researchers Noam Rotem and Ran Locar with finding the database representing about 65 per cent of US households. It says the researchers investigated the database but didn't download it as that would be unethical.
The info they found includes full names (first, middle, surname), full addresses (street addresses, cities, counties, states, and zip codes), location (longitude and latitude), age, date of birth, and numeric codes (representing title, gender, marital status, income homeowner status, and dwelling type).
Such data isn't as much of a privacy problem as account credentials, passwords, and social security numbers, but it can still be abused to target specific individuals through fraud.
vpnMentor speculates that the data belongs to an online service of some sort because every entry has "member_code" and "score" fields. It suggests the data may belong to an insurance, healthcare, or mortgage company.
Microsoft knows the answer to this riddle but isn't inclined to share. “We have notified the owner of the database and are taking appropriate steps to help the customer remove the data until it can be properly secured," a company spokesperson said in an email to The Register. ®