A massive data leak exposing the personal information of over 100 million US citizens has been reportedly uncovered by security researchers.
The breach, discovered by Cybernews and attributed to a misconfigured database at background check firm MC2 Data, allegedly left 2.2TB of sensitive data accessible online without password protection.
What Was Exposed in the MC2 Data Breach?
The database contained 106,316,633 records, including:
-
Full names
-
Emails
-
IP addresses
-
Dates of birth
-
Partial payment details
-
Home addresses
-
Phone numbers
-
Employment and legal histories
-
Property records
-
Family, relatives and neighbors’ data
“Encrypted passwords were also leaked,” added Darren James, a senior product manager at Specops Software. “While encryption provides a layer of protection, these passwords are now vulnerable to brute-force attacks. If cracked, especially when linked to email addresses, they could potentially grant unauthorized access to other systems due to the common practice of password reuse.”
Subscribers to MC2 Data services were also affected, totaling over 2.3 million individuals. Their data, which could include information about employers and law enforcement, is particularly concerning as it may present a higher value target for cybercriminals.
Security Concerns and Industry Impact
MC2 Data, which runs popular background check sites such as PrivateRecords.net and PeopleSearchUSA, collects and compiles information from various public sources for use by employers, landlords and others for decision-making.
Read more on background check service risks: Florida-Based National Public Data Confirms Data Breach
The discovery has raised serious concerns about how background check companies handle and secure vast amounts of personally identifiable information (PII). The leak puts millions at risk of identity theft, fraud or other cyber-attacks.
Security researchers warn that such a breach could be a goldmine for cybercriminals, allowing them easy access to typically protected detailed personal profiles.
“This is another huge breach in an all too familiar narrative of ‘human error,’” said Javvad Malik, lead security awareness advocate at KnowBe4. “While it’s easy to point fingers at an individual to say that a particular web database was left marked as public as opposed to private, it underscores a fundamental issue where security doesn’t appear to be given the priority it deserves.”
Infosecurity has reached out to MC2 Data through their legal representative, Strauss Borrelli PLLC, for clarification on the breach and the actions taken to address it. However, at the time of writing, no response has been received.
We will update our readers should more information become available. In the meantime, the database has reportedly been secured.