The US political robocall firm RoboCent exposed personal details of hundreds of thousands of US voters.
The researcher Bob Diachenko from Kromtech Security discovered the company database exposed online. The expert was using the online service GrayhatWarfare that could be used to search publicly exposed Amazon Web Services data storage buckets.
The company offers for sale voter records for a price of 3¢/record, the same data that left exposed online.
Querying the system for the term “voters” he found the AWS bucket used by RoboCent.
The bucked discovered by the expert contained 2,584 files, exposed voters’ data includes:
The server also contained audio files with prerecorded political messages used for the robo-calling service.
“Just when I thought the days of misconfigured AWS S3 buckets are over, I discovered a massive US voter data online, apparently being part of Robocent, Virginia Beach-based political autodial firm’s cloud storage.” wrote Diachenko.
“Many of the files did not originate at Robocent, but are instead the aggregate of outside data firms such as NationalBuilder.”
Diachenko responsibly disclosed the discovery to the company that quickly secured the bucket, below the message sent by a developer of the company that solved the issue.
“We’re a small shop (I’m the only developer) so keeping track of everything can be tough”
This isn’t the first case of unsecured Amazon S3 buckets exposed online, in June 2017 DRA firm left 1.1 TB of data unsecured on an Amazon S3, 198 million US voter records exposed.
In December 2017, Diachenko discovered another an exposed MongoDB database containing voter registration data for more than 19 million California residents.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.