Here’s a database riddle: what kind of service collects data on 80 million US households, but only people over the age of 40, and includes their name, birthdate, gender, income, homeowner status, map coordinates, whether they’re married (but not how many children they may have), and dwelling type (but not their social security number)?
Give up? So did the security researchers who stumbled on an open database with all that data. That’s why they asked for help in trying to figure out who the database might belong to. Noam Rotem and Ran Locar, VPNMentor researchers, found the unidentified, open database, along with its 24GB worth of records, hosted on a Microsoft cloud server. The database contained loads of detailed information that could be used in a number of ways, many of them not good, including being put to use by identity thieves or phishers. Just knowing your name and city are enough to run a comprehensive search, Rotem and Locar said – one that could return company websites, personal blogs or websites, social media profiles like Facebook, Instagram, and Twitter, and whatever local media you may be featured in.
Depending on how much you share on social media, your vacation posts or business travel boasts could also be advertising to burglars when you’re away from home, the researchers said: Let’s assume you haven’t updated the security settings on your Facebook profile for a while, so your posts are visible to people you’re not friends with. Everything you post is open to the internet – including the vacation photos you uploaded that morning. The geotag shows that you’re thousands of miles away from home. But while the database held sensitive data galore, it lacked one crucial piece: any indication of what service it might belong to.