A pair of security experts has discovered an online, unprotected database that hosts personal data for 80 million American households. And, perhaps even more concerning, they’re not sure who it belongs to.
Among the data included on the 24 GB database is people’s full names, full street addresses, marital status, date of birth, income bracket, home ownership status and more. (Information such as income, dwelling type and gender is coded.)
Ran Locar and Noam Rotem of VPNMentor discovered the database and say they believe it is the first time a breach of this size has included such detailed information.
“This open database is a goldmine for identity thieves and other attackers,” they said.
Beyond identity thieves, the information on this database could be used to target older and more vulnerable people for phishing and scam attempts. Because real world locations and income levels are shown, it could be useful for real world thieves, as well.
While 80 million households are included in the database, the number of affected individuals is likely in the hundreds of millions, since most households have more than one resident. Everyone in the database is over the age of 40.
The discovery came as part of a web mapping project underway at VPNMentor. The company says it did not download the database, as if felt doing so would be an ethical breach.
Because the database was hosted on a cloud server, though, it’s unclear who it belongs to. (Locar and Rotem initially theorized an insurance, healthcare or mortgage company, but then noted that there were no account or social security numbers.) The security company is asking for help in identifying who might own the database, so they can be alerted to the vulnerability.