A publicly-accessible database with information on roughly 80 million American households has been discovered on a Microsoft cloud server, representing more than half of the total number of U.S. households.

While at the moment there is no information pointing at who is the company who left the 24 GB worth of data exposed, vpnMentor’s research team in collaboration with hacktivists Noam Rotem and Ran Locar—who found the unprotected database on a Microsoft cloud server—are currently in the process of identifying its owner(s).

The fact that all entries found in the database contain the "member_code" and "score" point to the huge collection of information belonging to a service which used it as a member tracking tool.

Sample exposed household data

The leaked household data

As described in the report published by Rotem and Locar, the leaked database was used to organize the information in a "household" format instead of focusing on the individuals as most such data collections do.

The leaked info includes:

Full addresses, including street addresses, cities, counties, states, and zip codes

Exact longitude and latitude

Full names, including first, last, and middle initial

Age

Date of birth

While there's a lot of data available in human-readable form, the database also contains coded info presented in the form of "internally-assigned numerical values" related to:

Title

Gender

Marital status

Income

Homeowner status

Dwelling type

"This isn’t the first time a huge database has been breached. However, we believe that it is the first time a breach of this size has included peoples’ names, addresses, and income," stated Rotem and Locar. "This open database is a goldmine for identity thieves and other attackers."

Why it stands out

Even though data breaches have become very common, this leaked database stands out for at least a couple of reasons not taking into account the fact that 80 million households translates in a huge number of individuals being affected, somewhere in the range of hundreds of millions of people having their addresses, locations, and dates of birth exposed.

First of all, all the entries stored in the database are of people under 40, this being the only item of information connecting all the individuals part of the approximately 80 million households.

Secondly, every entry in the leaked collection of households comes with an "income" and "homeowner" tag which could be related to "an internal ranking system, a tax bracket, or an actual amount."

However, as the vpnMentor report states, this would mean that the info found in the publicly-accessible database is owned by a mortgage or insurance company. Despite this, there is no specific information on payments, social security numbers, or account numbers, something that such a collection of data should include.

Rotem was behind another important discovery back in January, when he found that attackers could potentially view and change private info in flight bookings made by millions of major international airlines' customers because of a security issue present in the Amadeus online booking system.