Unprotected database exposes the personal information of almost 8 million people in the US

• The leaky database has exposed the personal information of almost 8 million people who had participated in online surveys, contests, and requests for free product samples.
• The exposed information includes names, addresses, email addresses, phone numbers, dates of birth, gender, and IP addresses.

Security researcher Sanyam Jain has uncovered an unprotected Elasticsearch database that has been left publicly accessible without any authentication.

What was exposed?

The leaky database has exposed the personal information of almost 8 million people who had participated in online surveys, contests, and requests for free product samples.

• The exposed information includes names, addresses, email addresses, phone numbers, dates of birth, gender, and IP addresses.
• The database also contained the referrer and the page where the submitted information came from.

Who is the owner of the database?

The security researcher noted that he came across many records that had a field with ‘userenroll.com’ domain in it. Jain learned that the domain belonged to an online marketing company named PathEvolution.

Jain then found out that PathEvolution was owned by a parent company named Ifficient. However, he could not contact the owner so he contacted Amazon who was hosting the database and notified them about the unsecured database.

The leaky database was finally secured on May 11, 2019, by Ifficient, after being contacted by Amazon.

“We received a single notification from Amazon and took necessary steps to address identified vulnerabilities, if any, within hours of being notified of the potential problem. Amazon referenced a far greater number of records exposed, but these records pertained to impression data and therefore included an extremely high number of duplicate records,” Ifficient said.

The Response

• Ifficient is currently taking steps to notify all the potentially impacted individuals about the incident.
• The marketing firm has also decided to provide free identity monitoring services for all impacted individuals.

“According to nearly all applicable state data breach notification statutes, this information does not constitute personal information. Most notably, we don't capture or store SSN, drivers license or state ID numbers, or financial account or payment card numbers. Regardless, we are currently taking steps to notify individuals for whom data sets defined by the applicable state statutes to constitute personal information was stored. We'll also be offering identity monitoring services to those individuals,” Ifficient said, BleepingComputer reported.