A vast database containing information scraped from the
public domain on 56.25 million U.S. citizens has been found online, with no
security and serving an IP address belonging to Chinese online retailer Alibaba.
All data hosted on the server seems to belong to an
online service called CheckPeople.com, which offers details, such as addresses
or phone numbers, of U.S citizens, for a fee. The service also provides
criminal records. The company says that everything is gathered from public
records.
According to The Register, a white hat hacker going by the
name of Lynx found out that a 22 GB database, containing a wide array of
details about millions of Americans, was sitting online with no safeguards.
Making matters worse, the database seems to be hosted somewhere on a Chinese
server, in Hangzhou.
While the information is scraped from public sources,
which is available to anyone, the fact that it’s gathered in a single place and
is searchable, makes it dangerous. A bad actor could pair this database with
other leaks and weaponized it in ways that pose a threat.
“In and of itself, the data is harmless, it’s public
data, but bundled like this, I think it could actually be worth a lot to some
people. That’s what scares me when people start combining these with other
datasets,” said
Lynx for The Register.
This is not the first time unattended databases with
troves of personal data have been found online. An open Elasticsearch server
with private
data on 1.2 billion people was located just over a month ago, and it’s still
unclear how that came to be. Similarly, a database owned by TrueDialog storing millions
of SMS text messages in plain text was left unattended online, ripe for the
taking by anyone interested.