X

Cloud database removed after exposing details on 80 million US households

Exclusive: The cache included information on addresses, income levels and marital status.

Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
3 min read
cybersecurity-hacking-4
Angela Lang/CNET

In a blow to consumers' privacy , the addresses and demographic details of more than 80 million US households were exposed on an unsecured database stored on the cloud, independent security researchers have found.

The details included names, ages and genders as well as income levels and marital status. The researchers, led by Noam Rotem and Ran Locar, were unable to identify the owner of the database, which until Monday was online and required no password to access. Some of the information was coded, like gender, marital status and income level. Names, ages and addresses were not coded.

The data didn't include payment information or Social Security numbers. The 80 million households affected make up well over half of the households in the US, according to Statista.

"I wouldn't like my data to be exposed like this," Rotem said in an interview with CNET. "It should not be there."

Rotem and his team verified the accuracy of some data in the cache but didn't download the data to minimize the invasion of privacy of those listed, he said.

It's one more example of a widespread problem with cloud data storage, which has revolutionized how we store valuable information. Many organizations don't have the expertise to secure the data they keep on internet-connected servers, resulting in repeated exposures of sensitive data. Earlier in April, a researcher revealed that patient information from drug addiction treatment centers was exposed on an unsecured database. Another researcher found a giant cache of Facebook user data stored by third-party companies on another database that was publicly visible.

Unlike a hack, you don't need to break into a computer system to access an exposed database. You simply need to find the IP address, the numerical code assigned to any given web page. There's no indication, though, that the information in this database was accessed by cybercriminals.

For the research, Rotem and Locar partnered with VPNmentor, an Israeli company that reviews privacy products called VPNs and receives commissions when readers choose one they like. In a blog post Monday, the company called on the public to help it identify who might own the data so that it can be secured.

"The 80 million families listed here deserve privacy," the company said in its blog post.

Rotem found that the data was stored on a cloud service owned by Microsoft . Securing the data is up to the organization that created the database, and not Microsoft itself.

"We have notified the owner of the database and are taking appropriate steps to help the customer remove the data until it can be properly secured," a Microsoft spokesperson told CNET in a statement Monday.

The server hosting the data came online in February, Rotem found, and he discovered it in April using tools he developed to search for and catalog unsecured databases. In January, he also found a security flaw in a widely used airline booking system called Amadeus that could allow an attacker to view and alter airline bookings.

The cache of demographic information included data about adults aged 40 and older. Many people listed are elderly, which Rotem said could put them at risk from scammers tempted to use the information to try to defraud them.

Originally published April 29, 5 a.m. PT.
Update, 11:15 a.m.: Adds comment from Microsoft and more information about the cybersecurity research team. 
Update, 12:12 p.m.
: Notes that the database has been taken offline.

Watch this: A database with info on 80M+ US households was left open to the public