Security researchers have recently discovered and reported an unprotected database that exposed the personal information of 80 million U.S. households to potential data security threats like identity theft.
According to PCWorld, a team of security researchers from a site known as vpnMentor discovered that the database contained unencrypted data that exposed information such as full street addresses, full names, ages, and dates of birth. Most unsettling was the fact that the data also included “exact longitude and latitude” locations for individuals. The researchers also reportedly found “coded references” to other pieces of personal information such as details on income, gender, marital status, and homeowner status. Interestingly though, the data only seems to expose the information of people ages 40 and older.
The researchers’ report is posted on the vpnMentor website. According to the report, the database is 24GB and is hosted by a Microsoft cloud server. And while the database doesn’t seem to contain such vital personal data such as Social Security numbers or credit card information, the report outlined other dangers of having other kinds of personal data exposed such as ransomware attacks, phishing scams, and identity theft.
The identity of the database’s owner is still unknown. However, based on the types of data found in the database, the researchers think the owner is probably an “insurance, health care, or mortgage company.” When the report was first published, the researchers had included a call to action in the report asking readers to contact them if they could help identify the owner of the database.
The report has been updated with a new development. Sometime after the report was published by vpnMentor’s researchers, Microsoft reportedly took the server offline and released the following statement to them:
“We have notified the owner of the database and are taking appropriate steps to help the customer remove the data until it can be properly secured.”
USA Today also reported that Microsoft issued a similar statement: “We notified the owner of the database and it is no longer publicly accessible.” Both statements from Microsoft on the matter did not include the identity of the database’s owner.