A CouchDB database holding 154 million voter records was left without protection after hackers breached its network and took down its firewall, The Daily Dotfollowing an investigation by MacKeeper security researcher Chris Vickery.
Vickery discovered the database earlier this week, and with the help of a Daily Dot reporter managed to track it down to a company named L2 that builds, manages, and sells access to US voter records.
Hacker breaches company hosting details of 154 million US voters
When the two inquired about the unprotected database that was exposed online without being protected by a password, L2 said it belonged to one of their clients.
L2 notified the client, who told L2, the reporter, and Vickery that they were compromised by a hacker, who took down their firewall. Without the firewall between the database and the public Internet, anyone knowing the database’s IP address or scanning for unprotected CouchDB servers would have been able to access it.
This particular database was hosted on a Google Cloud server, and according to Vickery contained details on over 154 US voters.
Database includes troves of valuable personal information
For each database entry (US citizen) the following information was included: address, city, state, ZIP code, age, estimated income, ethnicity, first name, last name, gender, political party association, phone number, voting frequency, congressional and State Senate district affiliation.
For some users, the database also included fields that stored information about their income, likelihood to have children, email addresses, Facebook profile URLs, and if the voter owned a gun.
L2 informed the client, who took down the database. L2’s CEO also told Vickery that the database contained one-year-old information, and did not include the full dataset that L2 collects from US voters.
Over 400 million US voter records are now out in the open
The hacked client also started an investigation into the incident. It is not known at this moment if the hacker was after the US voter database or after something else, or if he or someone else downloaded the voter database.
This is the third public data leak of US voter records. Last December, Vickery found a misconfigured MongoDB database that exposed details of. In January, he found a second MongoDB database exposing records for over . Some of this data made its way on the Dark Web, where criminals were selling it for a few Bitcoin.
Besides the US, other countries like the, , , and faced similar leaks of voter databases.