A misconfigured database is the root cause of the exposure of around 191 Million voter records. The records include voters’ full names, unique voter IDs, unique voter IDs, date of births and phone numbers.
The database was discovered by the security expert Chris Vickery, the same expert that recently confirmed that information exposed in over 650 terabytes of MongoDB data was associated with 25 million user accounts from various apps and services, including 13 million users of the OS X optimization program MacKeeper.
The database containing voters’ information was discovered on December 20th, Vickery provided all the details about his disconcerting discovery to DataBreaches.net. The archive includes over 191 Million Americans’ personal identifying information (PII).
Vickery has found also his own information in the database containing 300GB of voters’ data.
“My immediate reaction was disbelief,” Vickery said. “I needed to know if this was real, so I quickly located the Texas records and ran a search for my own name. I was outraged at the result. Sitting right in front of my eyes, in a strange, random database I had found on the Internet, were details that could lead anyone straight to me. How could someone with 191 million such records be so careless?”
Below the detailed list of attributes stored in the leaked database.
Vickery confirmed to have found in the voters’ database the records belonging to a number of police officers in his city, he has also verified the authenticity of the information.
The database doesn’t include Social Security Numbers, driver license numbers, or financial data, but the information it includes could be attractive for both cybercriminals and nation-state actors.
The principal media agencies are trying to identify possible responsible for the accidental exposure of so important data, but it is not clear who has misconfigured the archive.
Vickery and DataBreaches.net tried to contact voter information companies and various political groups, but all have denied any involvement in the incident.
“Salted Hash reached out to several political data firms in an effort to locate the owner of the exposed database. Dissent (admin of Databreaches.net) did the same thing. However, none of our efforts were successful.” reported Salted Hash. “The following firms were contacted by Salted Hash for this story: Catalist, Political Data, Aristotle, L2 Political, and NGP VAN. Databreaches.net reached out to Nation Builder. Speaking to Dissent, Nation Builder said that the IP address hosting the database wasn’t one of theirs, and it wasn’t an IP address for any of their hosted clients. As for the firms contacted by Salted Hash, each of them denied that the database was theirs, and in the case of NGP VAN, the technical aspects of the infrastructure (Linux vs. Windows) ruled them out because they’re a Windows shop and the data is housed as part of a Linux build. A later attempt to contact i360, another political data firm, was unsuccessful.”
Vickery also reported the issue to the FBI and Internet Crime Complaint Center, let’s hope the information will be removed as soon as possible.
(Security Affairs – US voters database, hacking)