An unsecured Elasticsearch database discovered by independent security researcher Sanyam Jain contains the personal identification information of eight million US citizens. As it seems, all of them were survey participants, filling out their details to win a prize, a discount offer, or even a free sample of a product. Little did these people know that their information would fly off to reach out to possibly malicious actors, and becoming part of PII (Personally Identifying Information) data bundles that are for sale on darknet forums. Considering the irresponsibility that characterizes even the administrators of databases belonging to large corporations, the discovery of the compromised database isn’t coming as a surprise to anyone.
The information that is contained in the 130 million database entries includes the full name, home address, email address, phone number, date of birth, gender, and IP address. Secondary details include subscription status (possibly useful for phishing actors), the user level, user ID, and the webpage where the information came from (where the user took part in the survey). While this last part helped serve as a pointer to the owner of the database, the researcher had to do some digging to find that out.
After noticing that most of the records contained the domain “userenroll.com”, the researcher found that it belongs to an online marketing company named PathEvolution, who failed to respond to the notices. This led to the notification of the hosting service of the database, which in this case was Amazon. After Amazon secured the database, the researcher found out that PathEvolution actually belongs to another marketing company named “Ifficient”. Ifficient confirmed that they were contacted by Amazon and that they secured the database that was accessible by anyone on May 11th, 2019.
Ifficient clarified that the 130 million database entries only correspond to 8 million people, as there are many duplicates in there. The company thanked Sanyam Jain for making this issue known to them and promised to notify all the people who had their PII leaked out. However, right now, they claim to see no signs that their database was accessed by malicious individuals. The primary lesson for everyone here is to keep in mind that those benign surveys that ask for your personal details can cause a lot of trouble to you in exchange for a free sample, or something of low value anyway. If you don’t have a really good reason to give away your PII, don’t do it.
Have you ever had your information get “propagated” due to giving it away on a survey? Share your experience with us in the comments down below, and also on our socials, on Facebook and Twitter.