154 million American voters' records exposed thanks to unsecured database

Yet another leak. This time it was a database containing the records of 154 million U.S. voters; accessing it required no authentication.

A misconfigured CouchDB instance caused 154 million U.S. voters’ records to be exposed, according to MacKeeper security researcher Chris Vickery. “It was configured for public access with no username, password, or other authentication required.”

Vickery determined the leaky database was on Google Cloud Platform and traced it back to a client of L2, a company that claims to be the country’s “most trusted source for enhanced voter” data.

The database included fields for addresses, age, congressional as well as state senate districts, education, estimated income, ethnic, name, gender, languages, marital status, phone number, voting frequency, presence of children, and if the voter was a gun owner.

154 million US voter records exposed MacKeeper security researcher Chris Vickery

Vickery emailed every L2 email address he could find, receiving a response from L2’s CEO Bruce Willsie. L2’s unnamed client gave the old “we were hacked” excuse—something Vickery hears a lot after notifying a company of its unprotected database. Yet the database was taken offline fairly fast, three hours after speaking with Willsie.

Part of Willsie’s official statement included:

We very quickly identified the national client, informed them immediately and they took down the site as quickly as they could. The client told us that they were hacked, the firewall was taken down and then the probing began. This was an old copy (from about a year ago) of the national file, and it had only a very small number of our standard fields. Needless to say, the client is doing its own research now to determine the extent of the incursion. I’ve asked that they report back to us with their findings and their plan for hardening their system in the future.

Curious, Vickery had queried the server’s log to determine that a Serbian IP had been interacting with the publicly exposed U.S. voter profile database on April 11. “Why was a Serbian IP messing around with a U.S. voter database?” he asked. While it could have been a proxy, he called it “very troubling” that the incursion took place this year.

April was the same month Vickery discovered a misconfigured MongoDB hosted on AWS that contained the personal information of millions of Mexican voters. In May, he discovered yet another Mexican voter database that was publicly exposed. Russia, the Philippines and Turkey have had voters’ records dumped online. In December and January, Vickery discovered other misconfigured databases that resulted in a massive leak of U.S. voters’ records.

After this latest discovery of another unsecured database containing millions of American voters’ records, Dissent Doe from Pogo Was Right and the Office of Inadequate Security wrote on The Daily Dot, “Our government is currently doing little to nothing, so why should entities make more effort to secure our information?”

She added:

Attempts to regulate voter registration list dissemination are unlikely to succeed because political organizations and fund-raising organizations rely upon them, and their lobby makes mincemeat of any privacy lobbying efforts. No federal agency is enforcing data security in political organizations or non-profits, and so far, neither are state attorney generals.

If anyone can figure out who the L2 client was, then Vickery said to please contact him. “I don’t think L2 is going to tell us,” he added.

Copyright © 2016 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.