The details included names, ages and genders as well as income levels and marital status. The researchers, led by Noam Rotem and Ran Locar, were unable to identify the owner of the database, which until Monday was online and required no password to access. Some of the information was coded, like gender, marital status and income level. Names, ages and addresses were not coded.
The data didn’t include payment information or Social Security numbers. The 80 million households affected make up well over half of the households in the US, according to Statista.
“I wouldn’t like my data to be exposed like this,” Rotem said in an interview with CNET. “It should not be there.”
Rotem and his team verified the accuracy of some data in the cache but didn’t download the data to minimize the invasion of privacy of those listed, he said.
It’s one more example of a widespread problem with cloud data storage, which has revolutionized how we store valuable information. Many organizations don’t have the expertise to secure the data they keep on internet-connected servers, resulting in repeated exposures of sensitive data. Earlier in April, a researcher revealed that patient information from drug addiction treatment centers was exposed on an unsecured database. Another researcher found a giant cache of Facebook user datastored by third-party companies on another database that was publicly visible.
I wouldn’t like my data to be exposed like this. It should not be there.
Noam Rotem, security researcher
Unlike a hack, you don’t need to break into a computer system to access an exposed database. You simply need to find the IP address, the numerical code assigned to any given web page. There’s no indication, though, that the information in this database was accessed by cybercriminals.
For the research, Rotem and Locar partnered with VPNmentor, an Israeli company that reviews privacy products called VPNs and receives commissions when readers choose one they like. In a blog post Monday, the company called on the public to help it identify who might own the data so that it can be secured.
“The 80 million families listed here deserve privacy,” the company said in its blog post.
“We have notified the owner of the database and are taking appropriate steps to help the customer remove the data until it can be properly secured,” a Microsoft spokesperson told CNET in a statement Monday.
The server hosting the data came online in February, Rotem found, and he discovered it in April using tools he developed to search for and catalog unsecured databases. In January, he also found a security flaw in a widely used airline booking system called Amadeus that could allow an attacker to view and alter airline bookings.
The cache of demographic information included data about adults aged 40 and older. Many people listed are elderly, which Rotem said could put them at risk from scammers tempted to use the information to try to defraud them.
Update, 11:15 a.m.: Adds comment from Microsoft and more information about the cyber security research team. Update, 12:12 p.m.: Notes that the database has been taken offline.