Tech companies are leaving your private data unlocked online and there isn’t much you can do about it. (image: Flickr/ Maarten Van Damme More

SANTA ROSA, CALIF. — Chances are your private data has probably been available on the web for any random visitor to read. And you may not even be able to blame hackers or identity thieves for it.

Instead, somebody at a company that collected or handled your information — maybe a wireless carrier, maybe a software firm with a mailing list, maybe a political research firm trying to put you in one likely-voter box or another — may have left it vulnerable on their own. And this happens often enough for a security researcher to make finding these exposures his speciality.

What’s more, there’s really not much you can do about it short of becoming a digital hermit.

A boom in breaches

Chris Vickery, director of cyber risk research at Upguard Security, has a simple theory for why he keeps finding databases open.

“I would say convenience is probably the biggest reason,” Vickery said during an interview at a coffee shop in this Sonoma County city where he works remotely for his Mountain View, California employer. “It’s easier just to have it open to everybody.”

At best, he added, some hapless employee doesn’t think they left the data exposed or believes nobody will stumble upon their attempt to ease telecommuting.

The biggest such example Vickery found to day was some 200 million voter-registration records that a Republican National Committee contractor left publicly accessible.

But the consequences of changing secure default settings in such cloud systems as Amazon’s (AMZN) AWS can go well beyond extra spam.

For example, the 13 million account credentials from the Mac-software firm Kromtech that Vickery found in 2015 could have been used to hack into other accounts “secured” with the same passwords.

The 6 million Verizon (VZ) wireless subscriber records Vickery found last month included some account passcodes that an attacker might have used to defeat two-step verification security that confirms strange logins with a one-time code texted to your phone.

(Verizon’s media division Oath owns Yahoo Finance.)

And the 87 million Mexican voting records he uncovered in 2016 could have been exploited by drug traffickers to compound the country’s plague of kidnappings and murders. Vickery recalled one immediate reaction: “You cannot let the cartels know about this.”

The 32-year-old’s work has won endorsements from other security researchers.

“Chris has been enormously effective at sniffing out exposed data left at risk in all sorts of obscure places,” said Troy Hunt, an Australian researcher who runs a data-breach index called Have I been pwned? that can reveal if your accounts have been exposed.

How to find a breach

Vickery said the easy part of his job is finding these databases, thanks to a searchable catalogue of publicly-accessible devices called Shodan and automated scanning tools that can quickly detect databases left open.

“The amount of data that comes back isn’t a ton, but it happens at a very, very fast rate,” he said.

At no point, he said, does he engage in hacking or impersonation of a legitimate user.

“If you have a password or a username set up, I’m not going to go any further,” he said. “I don’t trick anything.”

If a search locates apparently sensitive data, he will download a sample to confirm that it represents material that should have stayed private. He usually doesn’t bother looking for his own info, but he has not been amused when he finds it — such as in a leaked voter-registration database in 2016.

“I looked myself up just to see if it was legit, and it was all my data,” he recalled “I was pretty pissed.”

Then he will try to notify the affected company. That hasn’t always been easy. Kromtech, the maker of the often-scorned security app MacKeeper, didn’t respond to his queries until he posted about the problem on Reddit — though after securing the data, the firm hired him to blog about security issues.