Security researcher Bob Diachenko along with Comparitech uncovered an unprotected MongoDB database that contained almost 188 million records of personal data from Pipl.com and LexisNexis.
What information was compromised?
The records from Pipl.com included personal data such as names, dates of birth, gender, race, religion, email addresses, physical addresses, phone numbers, social media profiles, past and current employers, skills, automobiles and properties owned, court and bankruptcy notes, and political affiliations.
Almost 800,000 records originated from LexisNexis which included names, addresses, gender, parental status, a short biography, family members, redacted emails, and information about the individual’s neighbors including full names, dates of birth, reputation scores, and addresses.
The researcher analyzed the ‘dataSource’ fields in the database and noted that the creators of the API either scraped or purchased the data from Pipl and LexisNexis.
According to Comparitech, data brokers like Pipl obtain personal information from a variety of public and proprietary sources without people’s consent. It is most common for people living in the US to find their data available on data broker and people search websites like Pipl, ZabaSearch, WhitePages.com, Wink, and PeekYou.
“The Github repo gives examples of how the API could have been used, for example, to look up people by their name or what car they own. It was last updated on June 18, 2019. It lists an email for users to request “bulk data purchases and/or access to more data/requests,” Comparitech said in a report.
What was the response?
The open database was first indexed by search engines on June 17. Diachenko and Comparitech traced the database back to a Github repo for a people search API called ‘thedatarepo’ and notified the database owner about the issue. The database was then taken offline and secured on July 3, 2019.