Level 30
Feb 4, 2016
Operating System
Windows 8.1
US data analytics provider Alteryx has left an Amazon S3 storage bucket exposed online, leaking the sensitive details of over 123 million US households in the process.

The unprotected server was found by US cyber-security firm UpGuard, which also discovered a similar Amazon S3 server containing sensitive NSA files, and another leaky S3 server containing data from the US Army's CENTCOM and PACOM divisions.

Just like in previous cases, database administrators had left the server's content exposed to anyone that was accessing an easy-discoverable URL while logged into an Amazon account.

Database exposed Experian US household data
While the Alteryx database contained all sorts of data, the two most important files were two database archives belonging to Alteryx business partners, US consumer credit reporting agency Experian and the US Census Bureau.

While the data belonging to the US Census Bureau —the 2010 census results — were already publicly available on the Bureau's Census website, the Experian data was never meant to be exposed.

The Experian data was stored in a file named "ConsumerView_10_2013.yxdb and contained what UpGuard researchers described as the "personally identifying details and data points about virtually every American household."

More precisely, the database contained over 3.5 billion details for over 123 million American households.
Data didn't include names, but it doesn't matter
The good news is that the data is somewhat old, the file being dated to 2013. The bad news is that while the data on each person was anonymized and did not include names, the database contained home addresses, which is just as bad.

"Private information across multiple fields such as addresses and banking info can easily be correlated with names," Atiq Raza, CEO of Virsec Systems told Bleeping Computer in an email, confirming that the lack of names will not be an issue for attackers.

While it is unclear if someone else besides UpGuard researchers discovered and downloaded the data, almost all the users contained in the database are now exposed to identity theft and phantom debt.

According to UpGuard, the problem at the heart of this leak, along with the NSA and US Army exposures, is the same, and that's contractors that do not adhere to the same security standards practiced by the company that outsources services —data mining and analytics, in this case.