People and companies store many things inside databases on the internet. But unfortunately, some of them are left without proper security, allowing the larger web to access them easily, or leaving the database in the wild without a clear owner.
The latter was found by Israeli researchers Ran Locar and Noam Rotem.
The two have found an unguarded database that holds sensitive information of more than 80 million U.S. households, but doesn't have a clear owner. The data includes people's full names, physical addresses and locations, as well as coded content like gender, age, income, dwelling type, homeowner status and marital status.
Stored inside Microsoft cloud server, the database is a cache of 24GB of data. Fully exposed, the leak proves to be a potential goldmine for cybercriminals.
"I wouldn't like my data to be exposed like this," said Rotem said in an interview with CNET. "It should not be there."
The team verified the accuracy of some of the data but made an ethical decision to not download the data to help protect the privacy of the individuals who may be affected.
VPNmentor that worked with Locar and Rotem in the research, is asking anyone who might be able to help them identify the owner of the database to contact them.
Because the database has no clear owner, VPNmentor that worked with Locar and Rotem in the research, suspects that the database could be owned by an insurance, healthcare, or mortgage company, although it says that information expected to find in a database owned by brokers or banks is missing.
For example, VPNmentor said that there are no policy or account numbers, Social Security numbers, or payment types among the data.
Another speculation is that the database might belong to a home-oriented company.
"Unlike previous leaks we've discovered, this time, we have no idea who this database belongs to," the researchers said. "It's hosted on a cloud server, which means the IP address associated with it is not necessarily connected to its owner."
While this incident is hardly the first large scale data has been exposed, VPNmentor believes this is the first time a breach of this size has included peoples’ real names, addresses, and income.
The potential risk may take many forms.
For example, scammers who get the hold of the data can initiate phishing attacks using malicious links inside emails, which can lead to ransomware or further data theft. And with the database also having gender, age and income level, scammers can easily identify who among the 80 million families are the most vulnerable.
Making things worse that fraud, the leak may result in stalking or even break-ins.
Microsoft initially declined to comment, that before a spokesperson at the company issued a statement that said: "We have notified the owner of the database and are taking appropriate steps to help the customer remove the data until it can be properly secured."
Following the announcement, the database was then no longer publicly accessible.