White hat hacker Chris Vickery uncovered a database of 154 million U.S. voter profiles on an unprotected server chockfull of sensitive data that includes voter names, addresses, email addresses, phone numbers, gun ownership information, preferences on gay marriage and links to individual social media accounts.
The data was owned by voter data broker L2 which sold it to an undisclosed U.S.-based company that L2 claims inadvertently left it unprotected sitting on a Google cloud account.
“The risk of this data falling into wrong hands was extreme,” Vickery told Threatpost of the database he found on Tuesday. “Imagine how this data could be used if in the wrong hands. The data sets here are perfect for scammers to find just the right target’s email address or phone number.”
Vickery, a security researcher working with MacKeeper, said that as many as 15 percent (or 22.5 million) of the records were supplemented with additional data that went well beyond what L2 offers its clients which is limited to names, home addresses, phone numbers, dates of birth and party affiliations. Also included in voter profile data found by Vickery were links to individuals’ social media accounts such as Facebook, Flickr, Google Plus, LinkedIn, Twitter and YouTube. Another field indicated a voter’s attitudes on the pro-life and pro-choice debate.
For its part, database broker L2 stressed to Threatpost in an interview that it does not supplement data to its voter databases. “This client clearly spent a lot of time adding value to our database,” said Paul Westcott, spokesperson for L2.
“Our client told us that the database was maintained on a secure server. They told us they were hacked and that the attackers were able to disable a firewall and leave the database data unprotected,” Westcott said. He would only add the client is company located within the U.S. and didn’t have any direct party affiliation.
“The ‘we were hacked’ explanation comes out a lot in the kind of research that I do,” wrote Vickery in a blog post discussing his find.
Vickery said he was not the first to stumble on the database and that server logs he reviewed for the Google account hosting the voter data indicated multiple people had accessed the server before him – including an IP addresses outside the US such as Serbia.
Bruce Willsie, chief executive of L2, issued a statement: “We very quickly identified the national client, informed them immediately and they took down the site as quickly as they could.”
Vickery said the database was removed within three days of notifying L2 of the compromised data.
This is not Vickery’s first find of an unprotected database or the largest voter database he has found. However, he said, this voter database find included profile data nearly twice as rich in personal data compared to previous discoveries. Vickery made headlines in February when he found a database of 191 million voters. That data was traced back to the data broker NationBuilder.
Vickery said he found the voter data by scouring the internet using tools such as the Shodan search engine for CouchDB voter databases located on port 5984. “I was shocked to find it, but not as shocked as the first one I found. That’s because I knew it was possible. When I found it I just said, ‘oh boy, here we go again.'”