A vast database containing information scraped from the public domain on 56.25 million U.S. citizens has been found online, with no security and serving an IP address belonging to Chinese online retailer Alibaba.
All data hosted on the server seems to belong to an online service called CheckPeople.com, which offers details, such as addresses or phone numbers, of U.S citizens, for a fee. The service also provides criminal records. The company says that everything is gathered from public records.
According to The Register, a white hat hacker going by the name of Lynx found out that a 22 GB database, containing a wide array of details about millions of Americans, was sitting online with no safeguards. Making matters worse, the database seems to be hosted somewhere on a Chinese server, in Hangzhou.
While the information is scraped from public sources, which is available to anyone, the fact that it’s gathered in a single place and is searchable, makes it dangerous. A bad actor could pair this database with other leaks and weaponized it in ways that pose a threat.
“In and of itself, the data is harmless, it’s public data, but bundled like this, I think it could actually be worth a lot to some people. That’s what scares me when people start combining these with other datasets,” said Lynx for The Register.
This is not the first time unattended databases with troves of personal data have been found online. An open Elasticsearch server with private data on 1.2 billion people was located just over a month ago, and it’s still unclear how that came to be. Similarly, a database owned by TrueDialog storing millions of SMS text messages in plain text was left unattended online, ripe for the taking by anyone interested.