Security researchers have discovered an online database completely unsecured and exposed to the public internet, containing the personal details of at least 63 million Americans.
A team at vpnMentor led by Ran Locar and Noam Rotem found the Elasticsearch database wide open during a “routine research project.”
It soon traced the trove back to OneMoreLead, a B2B sales and marketing company which claims on its unfinished website to have a database of “40+ million 100% verified B2B prospects to search from.”
The database itself contained around 126 million records. Depending on the number of duplicates in there, the number of affected individuals could be anywhere between 63 million and 126 million, vpnMentor claimed.
Personally identifiable information (PII) featured in the trove included full names, job titles, personal email and home addresses, work email and office addresses, personal and work phone numbers, home IP addresses and employer names.
“The database contained detailed personal information about tens of millions of people — everything from their job title to their home IP address,” vpnMentor claimed.
“Cybercriminals could easily use this information to pursue financial fraud against everyone exposed. Simultaneously, they could use the information to build effective phishing campaigns, posing as a person’s employer, the government, and other trusted organizations.”
Many of the emails viewed by the research team had .gov suffixes, or indicated the individual as working for the New York Police Department.
“Private data from members of the government and police are a goldmine for criminal hackers — especially if a foreign government supports them,” vpnMentor claimed.
There are also question marks over where the information came from.
“The company is new, with no known clients and an unfinished website. So, it’s unlikely they collected data from 126 million people since opening in 2020 — unless the people behind OneMoreLead were working on a similar business previously,” vpnMentor claimed.
“Furthermore, the exposed data bears an uncanny resemblance to a leak originally connected German B2B marketing company Leadhunter in 2020. Leadhunter denied responsibility for the leak at the time, and researchers couldn’t confirm a link.”
The good news is that, when informed about the leak, OneMoreLead apparently secured the database the next day.
“Any leak like this could be easily avoided with some basic security measures taken including, securing servers, implementing proper access rule, and never leaving a system that doesn’t require authentication open to the internet,” vpnMentor said.