Misconfigured Database Exposes Details of 191 Million US Voters

Share this…

Researchers could not track down the database’s owner.Security researcher Chris Vickery has identified a misconfigured database that contains the personal details of 191,337,174 US voters.

The unprotected database was discovered on December 20, contains over 300 GB of data, and includes details such as full names, voter IDs, home addresses, email addresses, party affiliations, ethnicity, telephone numbers, and more. Fortunately, no Social Security numbers were included, nor were driver’s license numbers or any type of financial information.

The database is still available online

After a week-long investigation from Chris Vickery, Steve Ragan of Salted Hash, andDataBreaches.net, the owner of the database has not been identified and the database still remains easily accessible online.

It is common practice in the US for states to create voter databases, which are then aggregated and offered to authorized individuals, like political parties, non-profits, scholars, journalists, law enforcement, and others.

Most states have different rules and laws on who gets to access the database, what information is collected, and what type of data is allowed to be made public.

All clues point to the Nation Builder platform

Because the investigation carried out by Vickery, Ragan, and DataBreaches.net was not successful in identifying the person or company responsible for the leaky database, the three contacted the FBI, NY office, and California Attorney General’s Office.

During their research, the three felt sure they identified the owner of the database as being Nation Builder, an online platform for launching political campaigns, created by 3dna, Corp.

The researchers contacted Nation Builder’s staff, who responded that the IP of the leaky database was not one of theirs, nor any of their clients’ who host data on their servers.

Despite the direct answer, the researchers were certain that the data was at least sold or distributed by Nation Builder, because it contained data field labels unique to their data structures, and the total number of records matched a tally from Nation Builder, as reported in March 2014.

One of Nation Builder’s clients may be to blame

It may be possible that one client might have bought the data from Nation Builder and hosted it on an improperly configured server.

Nation Builder founder and CEO Jim Gilliam admitted in a statement for SecurityWeek that some of the data may come from their database because they provide free access to this info to some political campaigns and advocacy groups. Additionally, he also said that, because most states provide free access to this data, this is not technically a data breach, except in some states like California, where access to some data is restricted.

DataBreaches.net contacted the California Attorney General’s Office, where they talked to one of the staff attorneys. That person’s reaction to the data breach was just “Wow.”

In the past, Mr. Vickery uncovered numerous unprotected MongoDB databases online. The US voters’ data may also be hosted on this platform.

Sample data from the leaky database

Sample data from the leaky database