Data Breach Exposes 123 Million U.S. Households
Alteryx (ALTERYX), a marketing analytics firm, left an unsecured database online that publicly exposed sensitive information for about 123 million U.S. households.
The personal details included street addresses, demographics, and finances for families, as well as information pertaining to house and auto ownership, and even to children. The database was open to anyone with an account on Amazon (AMZN) Web Services, the storage service Alteryx used to host the files.
Researchers with the cybersecurity firm UpGuard said they discovered the improperly secured database—since shored up by Alteryx—on Oct. 6, as they revealed in a blog post on Tuesday. The researchers, including Chris Vickery, UpGuard’s director of research and a prolific hunter of unsecured web databases, noted that, “Simply put, one dummy sign-up for an AWS account, using a freshly created email address, is all that was necessary to gain access to this bucket’s contents.”
Alteryx did not say whether any unauthorized access occurred.
A large portion of the data appeared to originate with Experian (EXPGY), one of three major U.S. credit bureaus, which collected and sold them as part of its “ConsumerView” product for marketers. Alteryx sells access to its own marketing product, “Alteryx Designer w/ Data,” which incorporates the Experian and other data, such as public information from the U.S. Census Bureau, for about $39,000 per license.
Although the database used anonymized IDs instead of people’s names, Vickery has warned that the details were easy to cross-correlate with other identifying information, such as what’s contained in voting records or managed by advertisers. “If you cross-reference it with a voter registration database, or if you have records from an advertiser on the web, like a big web advertiser, you piece these things together and you’ve got a very accurate view of who someone is: what they like doing, where they work, where they live, how many kids they have,” Vickery told Forbes.
“When we discovered this issue, we removed the file from AWS and also added a layer of additional security to the AWS bucket where the file was stored,” said Dean Stoecker, CEO and chairman of Alteryx, in a statement. “We will maintain a similar level of enhanced security for any dataset that we offer to our customers going forward.”
Experian told Fortune that the data exposure was due to no fault of its own IT systems, unlike what happened to Equifax (EFX) earlier this year. “This is an Alteryx issue. The data in question does not include any personally identifiable information, or any consumer credit information, and poses no risk of identity theft to consumers,” a spokesperson said in an email.
“To be clear, this incident did not involve or compromise any Experian systems,” the spokesperson continued. “We nevertheless take this matter very seriously, and are disappointed that it occurred. Data security has always been, and always will be, our highest priority.”
Alteryx stressed in its response that the data did not contain “names, credit card numbers, social security numbers, bank account information or passwords.”
Get Data Sheet, Fortune’s technology newsletter
The UpGuard researchers countered that the information that had been left out in the open was still a potential goldmine for miscreants. “The data exposed in this bucket would be invaluable for unscrupulous marketers, spammers, and identity thieves,” they wrote.