Most of the email addresses checked by researchers contained .gov suffixes or indicated that the user worked for New York Police Department.
In April 2021, a hacker dumped household data of 250 million Americans online, and now VPNMentor’s team of cybersecurity researchers led by Noam Rotem and Ran Locar discovered a misconfigured Cloud database stored on Amazon Web Services.
The database was traced back to a relatively unknown US-based B2B sales and marketing firm OneMoreLead. According to researchers, the 34 GB worth of database was uploaded on April 10, 2021, and had been leaking the private data of around 126 million American citizens.
The researchers added that this incident has an “uncanny resemblance” to another leak that affected a Germany-based B2B marketing firm called Leadhunter back in 2020. But VPNMentor couldn’t confirm any definite link between the two incidents.
Unlaunched Company Loses Data
OneMoreLead is a new company, therefore the news of data leakage must be devastating for its reputation. The company claims on its unfinished website that it has a database of more than 40 million “100% verified B2B prospects.”
VPNMentor researchers wrote in their report that the company is new and doesn’t have any clients at the moment. Hence, it is unlikely that OneMoreLead collected data from 126 million people within a year, unless those working for the company had a similar business previously.
Was PII Data Exposed?
The database reportedly contained nearly 126 million user records, but if we consider the number of duplicate records, the actual number could be between 63 million and 126 million. It’s catastrophic that OneMoreLead created such a vast treasure trove of information and stored it on an unprotected database.
The exposed data included PII such as:
- User name
- IP addresses
- Email addresses
- Home phone numbers
- Workplace-related information such as employer names, office addresses, phone numbers, etc.
“Cybercriminals could easily use this information to pursue financial fraud against everyone exposed. Simultaneously, they could use the information to build effective phishing campaigns, posing as a person’s employer, the government, and other trusted organizations,”researchers said in their report.
Database Could Be a Goldmine for Threat Actors
It is important to note that most of the emails checked by VPNMentor researchers contained .gov suffixes or indicated that the user worked for New York Police Department.
Researchers are of opinion that such records would have been a “goldmine” for cybercriminals had they discovered it before them and had a foreign government’s support. This could have allowed them to launch all kinds of attacks against government officials, from financial fraud to identity theft and phishing campaigns.
“Any leak like this could be easily avoided with some basic security measures taken including, securing servers, implementing proper access rule, and never leaving a system that doesn’t require authentication open to the internet,” researchers wrote.