Unidentified Unprotected Database Exposes PIIs of 80 Million US Households

Last updated September 17, 2021
Written by:
Bill Toulas
Bill Toulas
Cybersecurity Journalist

If you are a US citizen, chances are that your sensitive personal data are leaked out from an unprotected 24 GB database that was just discovered by vpnMentor’s researchers, Noam Roten and Ran Locar. As the database contains the PII of family members of 80 million households, we’re talking about 65% of the total households in the country. The unprotected database is hosted by a Microsoft cloud server, but the ownership and thus the responsibility for securing it remains a mystery right now.

The leaking database contains entries of household data, and it follows a tree structure to include the members of each household. That doesn’t mean that the information about the members is basic, unfortunately, as the leaking elements include the full names, marital status, income details, birth date, gender, and even the ownership of the registered house. More worryingly, the street address with the corresponding zip code is also included, and to help deal with duplicate street names confusion, there’s also the exact longitude and latitude data for each household. The type of data also contains a “member_code” string, so the owner must be a service provider of some sort.

screenshot_database

image source: vpnmentor.com

Database leaks and unprotected servers containing the PIIs of millions is not something that we see as rare as we would like, but still, this occasion looks like the worst we have ever covered. We’re talking about a combination of vicious things here, from the amount of data to their type and importance. 65% of the US households have had their full names, income, age, and geolocation coordinates leaked, and I could write an entire book with what malicious actors could and definitely would do with this kind of information in their hands. Cherry-picking wealthy, older individuals who are living alone near their area would be a place to start for someone with bad intentions and lax ethics. And the worst element of all? The company responsible cannot be notified about the problem as no one knows who they are.

Still, and with so much data in there, there’s no concrete evidence as to who is responsible for plugging the leak. By searching in quite a few thousands of entries, the researchers realized that all members registered are aged 40 and above, so this could mean something about the type of service provided by the owner. Maybe it’s a healthcare service, insurance, or a mortgage company. If that was the case, however, the database should typically include the social security numbers of the members, and surely the payment methods as well, which it doesn’t, so the ball of wool remains tangled.

Any idea who could be the owner of this unprotected database? Share your thoughts in the comments section below, and help us spread the word by sharing this post through our socials, on Facebook and Twitter.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: