A database which contains the private data of millions of South Africans – including ID numbers, contact details, addresses, and income estimates – has been exposed.

Security researcher and creator of Have I Been Pwned?, Troy Hunt, discovered the data and took to Twitter to solicit advice from South Africans.

The name of the file containing the data was “masterdeeds”, suggesting it may have been obtained from the Deeds Office – the custodian of information about property owners in South Africa.

Hunt told MyBroadband the leaked database is a 27.2GB backup file that he found available as a torrent some time ago. He imported the backup and gained 31.6 million records before it crashed.

Hunt said that one record was only 594 characters. Assuming an average record length of 600 bytes, that means there could be over 47 million records in the database.

Legitimate

Hunt queried the data of people who granted permission for him to do so, and the results looked legitimate.

However, it appears the data might be compiled from multiple sources. Address, income, living standard measure, contact, and employment information seem to be more current than the title deed data.

It is not clear where the data originated from, or who leaked it.

The backup file was last modified in March 2017, giving a possible date the breach took place. Hunt noted it could have happened earlier, however, as the data dates back to the early 1990s.

The Department of Rural Development and Land Reform has a website through which title deed data may be queried called DeedsWeb.

MyBroadband has contacted the Chief Registrar of Deeds and the State Information Technology Agency for comment.