CNET también está disponible en español.

Ir a español

Don't show this again

Security

6 million voter email addresses left unsecured for 9 years, researchers say

The list appears to have come from the Democratic Senatorial Campaign Committee.

The silhouette of a hand and an old-fashioned key with a background of ones and zeroes.

More than 6 million email addresses that appear to have been collected by political campaigners were exposed online for almost a decade, researchers said Tuesday.

Graphic by Pixabay/Illustration by CNET

A list of 6.2 million email addresses amassed by Democratic campaign organizers appears to have been exposed on the internet for nearly a decade. Researchers at UpGuard found the list on an unsecured cloud server that would have let anyone with an internet connection read it.

The cache, which contains only email addresses and no other identifying information, was uploaded by a former staffer with the Democratic Senatorial Campaign Committee, or DSCC. The list appeared to include mostly personal email addresses, and the largest portion were AOL and Yahoo accounts. In a blog post Tuesday, UpGuard researchers acknowledged the scope of the information isn't large, but said it should still be concerning.

They said it shows that political campaigns are prone to collecting large amounts of information on voters and then failing to secure it. That can leave voter information exposed long after polls close and votes are counted.

"If political data can be exposed for 10 years, the risk created by that data has an unknown half-life," the researchers said.

The DSCC confirmed that the data was uploaded by a former staffer, and that the spreadsheet has now been removed.

"Since the 2010 cycle, the DSCC now has a centralized and secure management of assets to ensure accounts are following proper security best practices, and all users and staff go through security awareness training to prevent issues like this," DSCC spokesman Stewart Boss said in a statement.

Originally published Aug. 6, 12:41 p.m. PT.
Update, 1:37 p.m.: Adds comment from the DSCC.