A security researcher has discovered that the US political robocall firm RoboCent exposed personal details of hundreds of thousands of US voters.
The US political robocall firm RoboCent exposed personal details of hundreds of thousands of US voters.
The researcher Bob Diachenko from Kromtech Security discovered the company database exposed online. The expert was using the online service GrayhatWarfare that could be used to search publicly exposed Amazon Web Services data storage buckets.
The company offers for sale voter records for a price of 3¢/record, the same data that left exposed online.
Querying the system for the term “voters” he found the AWS bucket used by RoboCent.
The bucked discovered by the expert contained 2,584 files, exposed voters’ data includes:
Full Name, suffix, prefix
Phone numbers (cell and landlines)
Address with house, street, city, state, zip, precinct
Political affiliation provided by state, or inferred based on voting trends/history
Age and birth year
Jurisdiction breakdown based on district, zip code, precinct, county, state
Demographics based on ethnicity, language, education
The server also contained audio files with prerecorded political messages used for the robo-calling service.
“Just when I thought the days of misconfigured AWS S3 buckets are over, I discovered a massive US voter data online, apparently being part of Robocent, Virginia Beach-based political autodial firm’s cloud storage.” wrote Diachenko.
“Many of the files did not originate at Robocent, but are instead the aggregate of outside data firms such as NationalBuilder.”
Diachenko responsibly disclosed the discovery to the company that quickly secured the bucket, below the message sent by a developer of the company that solved the issue.
“We’re a small shop (I’m the only developer) so keeping track of everything can be tough”
This isn’t the first case of unsecured Amazon S3 buckets exposed online, in June 2017 DRA firm left 1.1 TB of data unsecured on an Amazon S3, 198 million US voter records exposed.
In December 2017, Diachenko discovered another an exposed MongoDB database containing voter registration data for more than 19 million California residents.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.