Unsecured database containing 188 million personal records discovered online

Yet another trove of unsecured personal data uncovered - this time containing information from data brokers Pipl.com and LexisNexis

Yet another unsecured database containing personal information - this time the records of 188 million people - has been uncovered online.

That's according to an investigation conducted by Comparitech in partnership with security researcher Bob Diachenko.

Comparitech said that "some of the records appear to be from Pipl.com and LexisNexis, people search and legal search websites, respectively".

Pipl.com provides data-broking services, including personal information about individuals, mostly in the US. LexisNexis provides legal information services

The records from Pipl.com included first and last names, email addresses, physical addresses, date of birth, court and bankruptcy notes, phone numbers, social media profiles, political affiliations, race, religion, skills, gender, employment history and personal property.

Meanwhile, around 800,000 of records came from legal search engine LexisNexis. These names, addresses, gender, parental status, family members, emails and information about neighbours.

"It was first indexed by search engines on June 17. We traced the database back to a Github repo for a people search API called thedatarepo," wrote Comparitech in a blog.

"We promptly notified the database owner as soon as he could determine to whom it belonged. The owner then shut down access on July 3, 2019."

It's believed that the creators of the database scraped or purchased data from these websites, rather than breaching them.

The researchers went on to explain that anyone could search for people by their name or the car they own using the API, which was last updated in June.

Diachenko said personal information exposed online had become a huge risk. "I have previously reported that the lack of authentication allows the installation of malware or ransomware on the MongoDB servers.

"The public configuration allows the possibility of cybercriminals to manage the whole system with full administrative privileges. Once the malware is in place, criminals could remotely access the server resources and even launch a code execution to steal or completely destroy any saved data the server contains."

Warren Poschman, a senior solutions architect at Comforte AG, said the kind of data that was exposed and accessible to anyone is a dream for someone who wants to perform identity theft or mount a spear-phishing attack.

He said: "This example demonstrates nicely why we need privacy regulations that force data brokers to implement data-centric security on the personal data they are collecting - no matter if that data was publicly available or not.

"Data brokers gather personal data from many different sources and create combined data sets. These new data sets carry way more risk and as such need adequate protection."

It's far from the first time that an unsecured database bearing personal - sometimes highly sensitive - information has been uncovered online.

Just this week, it was revealed that 90 million records on a security database in China had been put online, unsecured. And the details of 275 million people in India were also exposed in a MongoDB database.