Exposed databases are as bad as data breaches, and they're not going anywhere

Hackers don't have to hack when companies make this mistake.

Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce | Amazon | Earned wage access | Online marketplaces | Direct to consumer | Unions | Labor and employment | Supply chain | Cybersecurity | Privacy | Stalkerware | Hacking Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
4 min read

Your personal data is all over the cloud, and it's not always secured the way it should be.

Getty Images

This year wasn't a good one for keeping sensitive information private: The names, addresses and demographic data of 80 million US households got revealed. So did the expected salaries of more than a million job seekers. And so, too, thousands of Facebook passwords, along with even more users' likes and comments.

Here's the galling part: None of this data was exposed by hackers with exceptional technical prowess. It was just left sitting on the internet, by mistake. Some database manager pressed the wrong button and left your most intimate information sitting on a cloud server somewhere. Often, as in the case of the Facebook data, a third-party company stored the information incorrectly.

The problem is pervasive, according to Chris Vickery, a researcher at security company UpGuard who tracks database exposures. "It is the ugly elephant in the room that every security professional knows about, but doesn't want to talk about," he said.

Companies are moving more and more user information to the cloud, putting it on remote servers owned by Amazon, Microsoft and Google that allow customers to rent both storage and computing power. That's good for everyone, lowering costs and raising the quality of service. But as with all new technologies, there's a learning curve. When a database manager forgets to password-protect data on the cloud, the information just sits there for anyone to see. And many organizations don't consider such cases data breaches or hacks, because there's no way to prove criminals accessed the exposed data. 

Watch this: A database with info on 80M+ US households was left open to the public

Still, the data can be very personal, like the nearly 5 million health care records that a researcher found for drug rehab patients in Pennsylvania in April. In addition to outing patients struggling with drug addition, the data could have made it possible for bad actors to find patient addresses and names of family members with a few Google searches.

Sometimes the exposed data is already public, like the caches of Facebook and Instagram user phone numbers and other information from profile pages that researchers found in separate incidents this year. That data was collected from millions of profiles by automated tools. The practice, called scraping, is against the terms of service of the social media companies, and all that data together can serve as a giant list of potential victims for spammers.

What's more, the databases can reveal proprietary information that companies like LexisNexis and Dow Jones charge businesses a premium to access. Both companies maintain lists of high-risk banking customers, and both sets of data were exposed on unsecured databases in 2019.

Clouds on the horizon

The problem is unique to cloud servers, which have revolutionized the way every organization stores data. Now instead of keeping information on racks of servers in a back room, businesses, schools and governments buy space on remote ones. 

One common problem is database managers leaving default settings in place after they move information to a cloud server. Often those settings make the data public and require extra steps to enable password protection. Other times the database handlers seem to have gone out of their way to avoid putting a password on the data, perhaps not understanding the risk, said Troy Hunt, who tracks data breaches at the website Have I Been Pwned.

That's particularly worrying when the information involves children. In 2017, Hunt found recordings of children's messages to and from loved ones on an exposed database run by toymaker CloudPets, exposing the intimate back-and-forths to anyone with the search skills to find the recordings.

Protect yourself

If your data is exposed in an unsecured database, experts say you have to treat the situation the same way you would if the data had been stolen. 

"You need to engage proactively in minimizing your risk," said Eva Velasquez, president of the Identity Theft Resource Center.

Medical service provider Tu Ora Compass Health said the same thing to nearly 1 million patients when it revealed that its poorly configured website had exposed patient health insurance data. Patients should "assume the worst" and act as though hackers had accessed the data, the company said.

What's the worst that can happen? Stolen information makes it easier for identity thieves to pretend to be you. When combined with what you share on social media, for example, your medical record number could allow someone else to use your health insurance.

The Identity Theft Resource Center hosts a service called Breach Clarity that helps you decide what steps to take after your data is compromised. The advice depends on what kind of information was involved.

If your log-in credentials are exposed, you'll want to reset your passwords. If it's your Social Security number, you'll want to watch your credit report for signs that someone's opening up new lines of credit in your name. You may also want to consider freezing your credit. 

And if it's payment information, you'll want to look for unusual charges on your credit card statement and consider requesting a replacement card.

Patching the leaks

How many exposed databases are out there right now is an open question, in part because only a relatively small group of security researchers are searching for them. Some of those researchers treat the hunt, which usually involves manually sifting through search results from directories of cloud servers and any other device connected to the internet, as a hobby rather than a job. Others do it professionally, and security companies are building automated tools to find exposures.

That means we'll be hearing about them on a regular basis in the coming year.