Security

Why is a 22GB database containing 56 million US folks' personal details sitting on the open internet using a Chinese IP address? Seriously, why?

If CheckPeople could take a look at this, that would be great

By Shaun Nichols in San Francisco

169 SHARE

Exclusive A database containing the personal details of 56.25m US residents – from names and home addresses to phone numbers and ages – has been found on the public internet, served from a computer with a Chinese IP address, bizarrely enough.

The information silo appears to have been obtained somehow from Florida-based CheckPeople.com, which is a typical people-finder website: for a fee, you can enter someone's name, and it will look up their current and past addresses, phone numbers, email addresses, names of relatives, and even criminal records in some cases, all presumably gathered from public records.

However, all of this information is not only sitting in one place for spammers, miscreants, and other netizens to download in bulk, it's being served from an IP address associated with Alibaba's web hosting wing in Hangzhou, east China, for reasons unknown. It is a perfect illustration that not only is this sort of personal information in circulation, it's also in the hands of foreign adversaries.

A white-hat hacker operating under the handle Lynx discovered the trove online, and tipped off The Register. He told us he found the 22GB database exposed on the internet, including metadata that links the collection to CheckPeople.com. We have withheld further details for privacy protection reasons.

The repository's contents are likely scraped from public records, though together provide rather detailed profiles on tens of millions of folks in America. Basically, CheckPeople.com has done the hard work of aggregating public personal records, and this exposed NoSQL database makes that info even easier to crawl and process.

"In and of itself, the data is harmless, it's public data, but bundled like this I think it could actually be worth a lot to some people," Lynx told El Reg this week. "That's what scares me, when people start combining these with other datasets."

While CheckPeople.com also offers criminal record searches, Lynx did not find that information among the cache.

AWS has new tool for those leaky S3 buckets so, yeah, you might need to reconfigure a few things

READ MORE

The Register has repeatedly attempted to reach a human at CheckPeople to alert it to the leak, and the site's administrators have yet to respond. Its customer-support call center directed us to email the company, although our messages were subsequently ignored, it appears. Similarly, Lynx told us he has been unable to get hold of anyone beyond a third-party call center worker.

You would think a company trafficking in personal records would care a bit more about being able to be reached.

Whether this is data somehow siphoned from CheckPeople by a Chinese outfit and dumped lazily online, or a CheckPeople server hosted in China, is unclear.

However, under the laws of the People's Republic, government agencies can more or less search any machine at any time in the Middle Kingdom, meaning profiles on 56.5 million American residents appear to be at the fingertips of China, thanks to CheckPeople – we assume Beijing has files on all of us, though, to be fair.

Again, repeated attempts to contact CheckPeople for its side of the story were unsuccessful. Should the company decide to get in touch, we will update this story as needed. We have also pinged Alibaba to alert it to the exposed database, should it care about Americans' privacy. ®

Updated to add

An attorney for CheckPeople.com told us on Friday that the business is probing the matter:

CheckPeople is unaware of any database of information hosted in China or through Alibaba. CheckPeople’s records are stored in the United States on secure servers. However, CheckPeople takes security issues very seriously and is investigating this matter.

We understand the database has been removed from the Chinese server. Redacted screenshots of the records can be seen here.

Sign up to our NewsletterGet IT in your inbox daily

169 Comments

Related

AWS has new tool for those leaky S3 buckets so, yeah, you might need to reconfigure a few things

re:Invent Security a popular topic at Las Vegas event

When did you last check your AWS S3 security? Here's four scary words: 17k Magecart infections

Card-slurping malware hits thousands upon thousands of unprotected cloud storage silos

Sure is quiet from Adobe. No security fixes this month? Great job. Oh no, wait, what's that stampede sound...

If you thought Reader, Acrobat, Experience Manager were skipping October's Patch Tuesday, think again

Sorry to be blunt about this... Open AWS S3 storage bucket just made 30,000 potheads' privacy go up in smoke

Talk about high tech: Software maker exposes cloud silo of personal info in tale of security gone bong

Amazon backtracks on planned S3 changes that would hamper free speech activists

Existing censorship-resistant S3 paths get a stay of execution

Don't be so Maduro: Adobe backs down (a little) on Venezuela sanctions blockade

Media giant says it can now pay back subscription fees

What do Brit biz consultants and X-rated cam stars have in common? Wide open... AWS S3 buckets on public internet

Exposed: Intimate... personal details belonging to thousands of folks

Hot patches for ColdFusion: Adobe drops trio of fixes for three serious flaws

While you're at it, fix Java too

This may shock you but Adobe is shipping insecure software. No, it's not Flash this time. Nope, not Acrobat, either

Mobile app SDKs sport dodgy crypto defaults, set bad examples – updates available

Teletext Holidays a) exists and b) left 200k customer call recordings exposed in S3 bucket

Get your grandparents to book with someone else

Whitepapers

Reduce Redis Enterprise Deployment Cost, Complexity with Intel® Optane™ DC Persistent Memory

Intel and Redis Labs have prepared this kit to help you reduce Redis Enterprise deployments cost and complexity with 2nd Generation Intel® Xeon® Scalable processors and Intel® Optane™ DC persistent memory.

Ransomware Hostage Rescue Manual

Free your files! Get the most informative and complete hostage rescue manual on ransomware.

Fine turn multi-cloud with containers and Intel Optane DC

Intel’s paper Making Multi-cloud Work discusses the seven considerations IT chiefs should address when optimising their multi-cloud environment and it comes with two companion reports

Guide to Antivirus (AV) Replacement

This guide provides in-depth information from leading security experts that will guide you through each phase of your decision-making process.