Records of 114 million US citizens and businesses exposed online

A huge database containing more than 114 million data on US citizens and businesses was discovered online without protection. The number of people affected by the exposure is estimated at nearly 83 million.

Researchers from HackenProof, an intrusion testing company based in Estonia, have discovered mbadive data cache via the Shodan search engine, in two Elasticsearch clues.

All the good things for a real scam

One of the instances contained personal information on 56,934,021 US citizens, including sensitive information such as full name, employer, job title, e-mail address, postal code , the phone number and an IP address.

"Another index of the same database contained more than 25 million records and more than one" Yellow Pages "directory: name, company contact details, zip address, carrier route, latitude / longitude, census tract, telephone number, web address, e-mail, number of employees, turnover numbers, NAICS codes, SIC codes, etc. ", informs the company in a blog post.

A company data sheet shows 114,686,118 the total number of records found and 82,851,841 the number of people affected.

This information is a valuable badet for fraudsters, who can use it to target businesses and individuals with more effective spam-phishing emails. Cold calls are another method they can use to scam businesses and individuals.

The researchers have not been able to determine the owner of the data, but think that they may belong to a 10-year old data management company called Data & Leads Inc. (cached link) based in Toronto, Canada.

Records are no longer available

The main cause of the information exposure was a misconfiguration of Elasticsearch instances that allowed the public to access the data without authentication.

This type of error is usually exploited by cybercriminals who often install malware to connect remotely to the server and exploit its resources or to demand ransom in exchange for already deleted data.

Sometimes the crooks do not copy the information, so the victim does not receive anything, even if it complies with the ransom demand.

HackenProof claims that they received no response from a Data & Leads representative, but that their website was taken offline before publicly disclosing the privacy breach. In addition, the database is no longer open to access.

It is unknown how long the information has been exposed. Shodan indexed it on Nov. 14, but it's only time stamp when the search engine became aware of its existence online. It is possible that it has been available for longer and that others have accessed it.