Hackers steal 19M California voter records after holding database for ransom

In late 2015, a security researcher found voter registration records of 191 million US voters on the Internet. Months later, hackers were found selling those records on several dark web marketplaces. Now, the IT security firm Kromtech has revealed that its researchers discovered a MongoDB database (a popular database management system) containing over 19 million California voters records.

Database was left exposed

The database was left exposed for anyone with an Internet access to view or edit. In the majority of such cases, researchers contact the affected party and inform them about the exposed data, but in this case, Kromtech researchers were unable to identify the owner.

Remember, MongoDB is used by popular organizations such as LinkedIn, MetLife, City of Chicago, Expedia, BuzzFeed, KMPG and The Guardian etc.

Cybercriminals held voters database for ransom

Since early 2017, hackers have been targeting MongoDB based databases. In this case, according to researchers hackers discovered voters records, took control of it and left a ransom note before deleting the entire database.

The ransom note asked the owner of the database to send 0.2 bitcoin, that is around USD 3,123 (thanks to sudden price hike) to a bitcoin address. However, the fact that cybercriminals erased the database, researchers were unable to conduct a detailed analysis.

Furthermore, the group stated that “your database is downloaded and backed up on our secure servers.” Simply put: the group now holds the database and wants the owner to pay to get it back.

What data the database had

In total, the 4GB database contained 19,264,123 records. As expected, it included highly personal and sensitive data of registered Californian voters such as:

City: 
Zip: 
StreetType: 
LastName: 
HouseFractionNumber
RegistrationMethodCode 
State: CA 
Phone4Exchng: 
MailingState: CA
Email: 
Phone3Area: 
Phone3NumPart: 
Status: A 
Phone4Area: 
StreetName: 
FirstName:
StreetDirSuffix: 
RegistrantId:
Phone1NumPart: 
UnitType: 
Phone2NumPart: 
VoterStatusReasonCodeDesc: Voter Requested 
Precinct: 
PrecinctNumber: 
PlaceOfBirth: 
Phone1Exchng:
AddressNumberSuffix: 
ExtractDate: 2017-05-31
Language: ENG 
Dob: 
Gender: 
MailingCountry:
AssistanceRequestFlag 
MailingCity: 
MiddleName:
AddressNumber: 
StreetDirPrefix: 
RegistrationDate: 
PartyCode: 
Phone1Area: 
Suffix:
NonStandardAddress: 
Phone4NumPart: 
CountyCode: 
MailingAdd3: 
MailingAdd2: 
MailingAdd1:
UnitNumber: 
Phone2Exchng: 
NamePrefix: 
_id: ObjectId 
MailingZip5: 
Phone2Area:

Moreover, researchers also found a 22GB file that contained a massive 409,449,416 records of complete California voter registration records. It is believed that the database was created back on May 31st, 2017.

ExtractDate: '2017-05-31',
'District': 
'RegistrantId': 
'CountyCode':, 
'DistrictName':
'_id': ObjectId

MongoDB and ransom

Since 2016, there have been a number of incidents where MongoDB database have been found exposed on the Internet or held for ransom. In January this year, several unsecured MongoDB databases were hijacked by a hacker, who not only wiped out those databases but also stored copies of them and asked for a ransom of 0.2 bitcoins (roughly US$ 211 at that time).

Researchers also found 13 MillionMacKeeper’ credentials and 58 million business firm accounts exposed online due to misconfigured MongoDB database last year. Last week, AI.Type keyboard app had 31 million customers records exposed online due to misconfigured MongoDB database. In that case, it was discovered that the keyboard app has been spying on users and collecting everything a user does on their smartphone.

Voters database and dark web

A dark web marketplace is a perfect place for hackers and cybercriminals to sell what they steal from others. A year ago, entire US voters’ registration records were being sold on now seized Hansa marketplace, therefore, Californians should not be surprised if their data goes on the dark web for sale.

Waqas

Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.