A database containing 154 million voter profiles on US citizens was exposed online without username or password protection, it has been revealed. Sensitive records in the files included political preferences, home addresses, estimated incomes and positions on marriage equality and abortion law.
The information, compiled by a US-based data brokerage firm called L2 that builds and sells profiles on US citizens, was left exposed online by a client and was reportedly being hosted on a Google cloud account without authentication.
The sensitive voter data was found by Chris Vickery, a security researcher working with MacKeeper who routinely locates unprotected databases with the use of the Shodan search engine. Luckily for L2's client, the data has since been taken offline.
"L2 has no control over what clients do with purchased data," Vickery told IBTimes UK. "It's up to the client to securely store it. L2 was extremely helpful in tracking down the responsible party and getting the database secured, so I don't want them to look like the bad guys."
After being contacted via email by the researcher, L2 said the compromised data was roughly a year old and explained the client – who remains unnamed – claimed to have been hacked. Based on his previous dealings with firms caught leaving data exposed online, Vickery said this excuse is unlikely.
"The 'we were hacked' explanation comes out a lot in the kind of research that I do," he said. "That doesn't necessarily mean that L2's client is lying about being hacked, but I am taking it with a grain of salt."
Meanwhile, Bruce Willsie, chief executive of L2 said: "We very quickly identified the national client, informed them immediately and they took down the site as quickly as they could.
"The client told us that they were hacked, the firewall was taken down and then the probing began. This was an old copy (from about a year ago) of the national file and it had only a very small number of our standard fields. Needless to say, the client is doing its own research now to determine the extent of the incursion."
Interestingly, while analysing the log files of leaked voter data, Vickery found a unique IP address linking to a server located in Serbia. He said: "You can see that a Serbian IP, 126.96.36.199, was interacting with this same database back on 11 April of this year. Why was a Serbian IP messing around with a US voter database? Even if this was just a proxy server it is still very troubling that this apparent incursion took place."
This is the third leak of the US voter records found by Vickery over the past 12 months. In December last year, the database hunter found a leaky file containing a massive 191m US voter records. Then, in January this year, he uncovered a second database that exposed a further 56m citizens. However, such incidents are not limited to the borders of the US. Other countries to be impacted by election-based hacks and data leaks includes Mexico, Turkey and the Philippines.
IBTimes UK contacted L2 for comment but had received no response at the time of publication.