A database on the Google Cloud platform containing 800 gigabytes of data and over 200 million user records has been misconfigured and was exposed online, according to researchers at CyberNews. The database contained a folder that included detailed information on around 200 million Americans, including full names, phone numbers, email addresses, dates of birth, credit ratings, home addresses, mortgaged property addresses, number of dependents and their genders, tax records, mortgage information, and detailed information about users’ interests, political leaning, investments, and donations to charities, political parties, and religious organizations.
The main database included codes unique to the U.S. Census Bureau which could offer clues as to the type of company that created the database, but after two weeks of searching, the owner of the database could not be identified. The researchers suggest it could be stolen by a hacker but, based on how the data was structured, it most likely belonged to a credit company or digital marketing firm. Unrelated data was also identified, including logs of emergency calls to a U.S. fire department and a list that contained 74 bike share stations.
It is unclear for how long the database was exposed but the researchers note that anyone who knew where to look would have been able to access the data. The database is still accessible online; however, all data in the database was wiped by an unidentified party on March 23, 2020.
That may have been by the owner of the database but a hacker is most likely as the database included a link to website that displayed a dancing pirate telling people to fix their security.
It is hoped that an ethical hacker wiped the database and that the data was not stolen before it was wiped. The extensive range of information in the database could be used for a variety of malicious purposes. Information could be used to craft convincing phishing campaigns, it would be easy to use the data to convince people to part with other sensitive data such as their Social Security number via email, the internet, or over the phone. That would allow cybercriminals to steal identities.
Prior to the database being deleted, the CyberNews researchers downloaded 80 million email addresses from the database. They have created a tool that allows users to check if their email address was in the database. You can access the tool on this link. No other data was downloaded by the researchers.