191 million voters’ personal info exposed by misconfigured database

http://www.databreaches.net/191-million-voters-personal-info-exposed-by-misconfigured-database/

Posted from WordPress for Android

6 Comments

  1. Tomi Engdahl says:

    191 Million US Voters’ Personal Info Exposed by Misconfigured Database
    Monday, December 28, 2015 Swati Khandelwal
    http://thehackernews.com/2015/12/us-voter-database-hacked.html

    Reply
  2. Tomi Engdahl says:

    Misconfigured Database Exposes Details of 191 Million Voters
    http://www.securityweek.com/misconfigured-database-exposes-details-191-million-voters

    A misconfigured database whose owner has yet to be identified exposes the personal details of 191 million U.S. voters, researcher Chris Vickery has warned.

    The database containing the records of more than 191 million individuals, totaling over 300 gigabytes of information, includes names, gender data, home addresses, mailing addresses, phone numbers, dates of birth, party affiliations, and other details dating back to 2000.Voter database found online

    Vickery and others have searched the database for their own records and found that the details stored in it are accurate. Another concerning aspect is that the publicly accessible database also includes the records of police officers.

    Fortunately, social security numbers and driver’s license numbers are not affected. However, the leaked information still poses serious security and privacy risks.

    The researcher has identified dozens of leaky databases over the past month and he has done his best to contact impacted organizations. However, in this case, tracking down the operator of the database appears to be a difficult task.

    Vickery has been assisted by DataBreaches.net and Steve Ragan of Salted Hash in trying to identify the entity responsible for the database, but they haven’t had any success and the database is still online. DataBreaches.net and Ragan have contacted a congressman’s political action committee (PAC) and several political data firms, including Political Data, L2 Political, Aristotle, NGP VAN and Catalist.

    DataBreaches.net has reached out to both the FBI and the California Attorney General’s Office

    Other Leaky Databases

    Vickery has identified dozens of poorly configured database management systems that at one point exposed more than 30 million credentials. The list of leaky databases identified by the expert are associated with MacKeeper, Hello Kitty owner Sanrio, Alliance Health, Uncle Maddio’s Pizza Joint, OkHello, Slingo and many others.

    Reply
  3. Tomi Engdahl says:

    Entire US voter registration record leaks (191 million)
    https://www.reddit.com/r/privacy/comments/3yinij/entire_us_voter_registration_record_leaks_191/

    I’m Chris Vickery. I know your phone number, address, date of birth, and more (if you’re registered to vote in the US).

    I have recently downloaded voter registration records for 191 million Americans from a leaky database. I believe this is every registered voter in the entire country. To be very clear, this was not a hack.

    The mysterious, insecure database is currently configured for public access. No password or other authentication is required at all. Anyone with an internet connection can grab all 300+ gigabytes.

    Update: BIG ANNOUNCEMENT: I’m happy to confirm that the database is now offline! Thank you to whoever finally took if down!

    Reply
  4. Tomi Engdahl says:

    Steve Ragan / CSO:
    Names, dates of birth, addresses, phone numbers, voting history for 191M US voters exposed by misconfigured database whose owner remains unidentified — Database configuration issues expose 191 million voter records — Massive database exposed to public, major political data managers deny ownership

    Database configuration issues expose 191 million voter records
    http://www.csoonline.com/article/3018592/security/database-configuration-issues-expose-191-million-voter-records.html

    Massive database exposed to public, major political data managers deny ownership

    A misconfigured database has led to the disclosure of 191 million voter records. The database, discovered by researcher Chris Vickery, doesn’t seem to have an owner; it’s just sitting in the public – waiting to be discovered by anyone who happens to be looking.

    he database was discovered by researcher Chris Vickery, who shared his findings with Databreaches.net. The two attempted to locate the owner of the database based on the records it housed and other details. However, their attempts didn’t pan out, so they came to Salted Hash for assistance.

    “My immediate reaction was disbelief,” Vickery said.

    “I needed to know if this was real, so I quickly located the Texas records and ran a search for my own name. I was outraged at the result. Sitting right in front of my eyes, in a strange, random database I had found on the Internet, were details that could lead anyone straight to me. How could someone with 191 million such records be so careless?”

    The database contains a voter’s full name (first, middle, last), their home address, mailing address, a unique voter ID, state voter ID, gender, date of birth, date of registration, phone number, a yes/no field for if the number is on the national do-not-call list, political affiliation, and a detailed voting history since 2000. In addition, the database contains fields for voter prediction scores.

    All voter information, except for a few elements protected by law in some states, is public record. For example, in Ohio, voter records are posted online. Other states make obtaining voter records a bit more challenging or outright expensive, but they’re still available. For the most part, voter data is restricted to non-commercial purposes.

    The database discovered by Vickery doesn’t contain Social Security Numbers or driver license numbers, but it’s still a massive collection of data.

    Again, most states or data brokers require that anyone obtaining voter data affirm that they’re not going to use it for commercial gain and that they’ll follow all related state laws.

    Yet, because the information Vickery discovered is in a database available to anyone on the Internet who knows how to find it, it’s essentially unrestricted data.

    “This file has all the basic information that a voter file would have on you: your address, date of birth, every election you did or didn’t vote in, and some basic demographic information. Campaigns use all of [this] information to target their messages more efficiently: to make sure they’re targeting not just the right people, but people who will actually end up voting. Most of this data is public record, with the caveat that it can only be used for campaign purposes,” explained Maclen Zilber, a Democratic political consultant with the firm Shallman Communications.

    “Some major voting data companies will give each voter a rating of how likely they are to turn out and vote”

    Who owns the database?

    As for the firms contacted by Salted Hash, each of them denied that the database was theirs

    data is housed as part of a Linux build

    How was this database compiled?

    To be perfectly clear, this story is not related to the Sanders / Clinton incident at all.

    In fact, the Sanders and Clinton campaigns share the exact same DNC voter database. The information exposed was added by one campaign, and the glitch allowed the other campaign to see it.

    What Vickery has discovered is worse, because the data he discovered isn’t a client score – it’s a complete voter record for 191 million registered voters. The problem is, no one seems to care that this database is out there and no one wants to claim ownership.

    As it turns out, many state and county elections offices charge for access to voter data.

    But did the data in the exposed voter database come from Nation Builder? Based on the database schema and formatting, yes, it did. The personal voter file given to me by Vickery is clearly from a Nation Builder data set.

    In the U.S., few vendors maintain a national voter file.

    Each vendor that deals with national voter files has their own distinct approach to creating unique identifiers for voters.

    In my voter record, the voter ID and the field names point directly to Nation Builder as the source of the data that’s been exposed.

    But is Nation Builder to blame? Not really…

    So while Nation Builder denied any claim to the IP and the leaked database, it’s entirely possible they might know who developed it – but that would require an extensive records check. This is because a developer or campaign wishing to access the Nation Builder Election Center would need to register their contact details, such as name and email address.

    However, Nation Builder is under no obligation to identify customers, and once the data has been obtained, they cannot control what happens to it. In short, while they provided the data that’s in my newly leaked voter record, they’re not liable in any way for it being exposed.

    And to be clear, I don’t blame Nation Builder for my leaked record either, I blame the person(s) who developed the database and poorly configured its hosting. I’m just not sure who they are yet.

    Based on the voter count and some of the records, the database appears to be from Nation Builder’s 2014 update

    The concern is the potential for abuse. Stalking and the exposure of people who normally don’t share their personal information is certainly an issue.

    There are other long term issues too. The personal information in this database, including political affiliation, date of birth, could be used to construct a targeted Phishing campaign.

    Reply
  5. Tomi Engdahl says:

    Password-less database ‘open-sources’ 191m US voter records on the web
    Getting public records a chore? Not any more, claims bloke
    http://www.theregister.co.uk/2015/12/28/security_researcher_spots_191_millionrecord_us_voter_database_online/

    A database with personal information on 191,337,174 US voters has apparently been found unprotected online by a security researcher in Texas.

    Vickery told Databreaches.net he was able to poke around the public-internet-facing database because it is poorly configured: no authentication or password is required to query all 300-plus gigabytes stored within.

    The researcher believes the database holds details for every registered voter in the US, and confirmed the records held on him in the system are accurate – as are those of serving and former police officers, which is one immediate concern.

    “Oh man. I deal with criminals every day who know my name,” a cop, who was alerted to the leaky database, told Databreaches.net.

    “The thought of some vindictive criminal being able to go to this site and get my address makes me uncomfortable. I’m also annoyed that people can get my voting record. Whether I vote Republican or Democratic should be my private business.”

    To be fair, this security blunder isn’t the end of the world: the information held in the database can be accessed by any citizen one way or another as a matter of public record. However, it’s not really supposed to be put online in bulk like this for everyone on the planet to see so easily.

    US states have different rules governing the release of voter information.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*