Skip to content
Naked Security Naked Security

154 million voter records exposed, including gun ownership, Facebook profiles and more

Intimate details also include address, age, position on gay marriage, ethnicity, email addresses and whether a voter is "pro-life."

A database with 154 million US voter registration records has been leaking information on a dizzying array of intimate details, including gun ownership, Facebook profiles, address, age, position on gay marriage, ethnicity, email addresses and whether a voter is “pro-life.”

MacKeeper security researcher Chris Vickery found the instance of a CouchDB database wide open, configured as it was for public access with no username, password, or other authentication required.

As Vickery said in a post, he tracked down and notified the company that was the source of the database. It was shut down within 3 hours.

On Tuesday, Vickery reached out to the company – a data brokerage firm named L2 – to report his theory: that one of its clients had purchased data from L2 and was hosting it in an insecure manner.

L2 said that yes, that was the case. He and L2 CEO Bruce Willsie tracked down the client, and the database was taken offline within 3 hours.

In a statement he sent to Vickery, Willsie said that the situation was even worse than what Vickery’s screenshot showed. In fact, the national file of voter records that Vickery had captured – beyond things such as party affiliation, religion and income – had far more fields and far more personal details on individuals:

This was an old copy (from about a year ago) of the national file and it had only a very small number of our standard fields.

According to Willsie, L2’s client claimed that they’d been hacked, that the firewall had been taken down, and that’s when the probing began. The client was doing its own research to determine the extent of the incursion, he said, and will get back to L2 with its findings and their plan for hardening the system.

This is far from the first breach of voter records, which many people are surprised to hear are generally considered public. We’ve seen…

CSO Salted Hash’s Steve Ragan is one of those — along with Vickery – who’ve inspected these databases.

He notes that the US voter databases found around Christmas 2015 contained a voter’s full name (first, middle, last), their home address, mailing address, a unique voter ID, state voter ID, gender, date of birth, date of registration, phone number, a yes/no field for if the number is on the national do-not-call list, political affiliation, and a detailed voting history since 2000. As well, the database contains fields for voter prediction scores.

All of that, besides a few fields protected by some state laws, is public record. But in general, voter data is restricted to non-commercial purposes.

But once it’s available to anybody who knows how to find it online, we can kiss that notion of restricted use goodbye.

All those who’ve viewed the databases agree: tracking down who owns the databases is difficult. Ragan:

No one seems to care that [one of the earlier leaked databases} is out there and no one wants to claim ownership.

The fact that L2 acknowledged that the most recent dataset was its own, identified which client had leaked it, and managed to get it taken down in 3 hours, is actually an aberration.

Let’s hope it turns into a trend.

11 Comments

Seems like an argument against internet voting, wouldn’t you say? People too lazy to go to the polls can still vote by mail. All we need is a foreign government to vote for us.

you mean like the Chinese government giving millions to hilldog so she can outspend everyone else?

So, does the fact that, under Citizen’s United, a government, using a citizen proxy, can give unlimited dollars to any candidate they wish, all secret, give you pause? At all? Can you pinpoint where GOP money comes from? At least you think you know where Hillary got her money. You cannot even start for the GOP.

How in the world would a database have any level of voting history – no say “detailed”? I thought the U.S. used secret ballots.

I assumed that phrase referred to “a history of whether you showed up at the polling station or not,” rather than “what your actual choice was.”

I cannot wait for someone to decide On-line voting is an idea whos time has come .

Voter records are a matter of public record. They do not contain information about positions on issues. All they contain is address, basic demographics, a primary key, party affiliation, and which elections you’ve voted in recently. These records may have been ABOUT voters (most records are, after all), but they are not voter records, which are maintained by the individual states, not private organizations, and are available upon request (You wanna see a big CSV file dump? Order your state voter list. It’ll probably come on a DVD, as a CD won’t contain it).

Exactly, US voter registration records are public information. Some states have the databases online in the deep web, so you probably would not find the db in a Google search. But that doesn’t mean the records won’t come up in Google. I know there is a database that must access the Connecticut records because I have searched it. In New York, you have to go to the Board of Elections and buy the records (I have seen them on a CD). The file contains name, DOB, date registered, date of last vote, address, political party affiliation. In theory there should be no way to see how the voter voted.

nice to know that they have 154 million gun ownership records so when hilldog goes to confiscate them all, they can do it overnight and avoid any deaths fyi there isn’t that many people in the US military and law enforcement combined. Even then, most if of them are pro gun LOL.

Not all of the records that included the gun ownership field pertained to people who do in fact own guns. A subset of the 154m records included gun ownership details of both those recorded as having guns and those recorded as not owning guns. We don’t have details of the exact number of gun owners or non-gun owners.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?