Up to 35 million voter records have been found up for sale on a popular hacking forum from 19 states, researchers discovered.
Researchers at Anomali Labs and Intel 471 on Monday said that they discovered Dark Web communications offering a large quantity of voter databases for sale – including valuable personally identifiable information and voter history.
This represents the first indication of 2018 voter registration data for sale on a hacking forum, said the researchers. The discovery comes weeks before the U.S. November mid-term elections.
“With the November 2018 midterm elections only four weeks away, the availability and currency of the voter records, if combined with other breached data, could be used by malicious actors to disrupt the electoral process or pursue large-scale identity theft,”researchers at Anomali Labs said in a Monday post. “Given the illicit vendor claims of weekly updates of voter records and their high reputation on the hacker forum, we assess with moderate confidence that he or she may have persistent database access and/or contact with government officials from each state.”
Researchers did not post what the name of the hacking forum was, or the timeline of the sales.
The disclosure affects 19 states and includes 23 million records for just three of the 19 states, researchers said. Impacted states include: Georgia, Idaho, Iowa, Kansas, Kentucky, Louisiana, Minnesota, Mississippi, Montana, New Mexico, Oregon, South Carolina, South Dakota, Tennessee, Texas, Utah, West Virginia, Wisconsin, and Wyoming.
No record counts were provided for the remaining 16 states, but they did include prices for each state. Each voter list ranges from $150 to $12,500, depending on the state, the research team said. These prices could be related to the number of voter records per database.
The records contain voter data including full name, phone numbers, physical addresses, voting history, and other unspecified voting data.
“We estimate that the entire contents of the disclosure could exceed 35 million records,” the research team said. “Researchers have reviewed a sample of the database records and determined the data to be valid with a high degree of confidence.”
Researchers said that within hours of the initial advertisement, a “high-profile actor” organized a crowdfunding campaign to purchase each of the voter registration databases.
“According to the actor, the purchased databases would be made available free of charge to all registered members of the hacker forum, with early access given to donors of the project,” said researchers.
So far, of the 19 available databases, Kansas has been acquired and published as part of that crowdfunding campaign – and Oregon is in the lead as the second state to be published.
Concerns around voter data in the U.S. have continued to peak as the elections draw near.
In July, a misconfigured repository bucket was found leaking the information of U.S. voters. The information was exposed on a public Amazon S3 bucket by a Virginia-based political campaign and robocalling company called Robocent.
While voter lists are not permitted to be used for commercial purposes, “State voter registration lists can be obtained at varying costs established by each state,” researchers said. Those lists could include registered voters and who has voted in specific elections – but, rules still remain governing which authorized persons (such as political campaigns, journalists or academic researchers) may retrieve and use the data.
“This type of information can facilitate criminal actions such as identity fraud or allow for false submissions of changes online to voter registrations, making some legitimate voters ineligible to cast ballots,” researchers said. “In a voter identity theft scenario, fraudsters can cause disruptions to the electoral process through physical address changes, deletion of voter registrations or requests for absentee ballots on behalf of the legitimate voter.”