Data on 191 Million U.S. Voters Was Leaked Online, Says Security Researcher

A security researcher with a knack for uncovering data breaches says he's discovered a trove of information including names, addresses, phone numbers, and dates of birth for more than 191 million U.S. voters on a publicly available server.

Researcher Chris Vickery says the database, which appears to be stored on a server accidentally configured to be accessible to the public, doesn't contain information like Social Security numbers or driver's license numbers, according to a Monday post on DataBreaches.net, an anonymously published watchdog site that frequently shares his findings. The database lists whether voters are registered with a particular party but not how they've actually voted in particular elections.

Vickery has previously reported millions of accounts' worth of data mistakenly stored in publicly accessible databases by insurance claim management software company Systema Software, security software firm Kromtech, HIV-positive dating app Hzone and a Hello Kitty fan community. He told Fast Company last week that he's reported about two dozen such leaks to companies since this summer, often finding unlocked database servers through the search engine Shodan, which lets users search for services running on particular ports.

Vickery and DataBreaches.net say they've been unable to locate the owner of the vulnerable server in order to have the database taken down, "despite countless hours" of effort contacting political consulting firms who could be connected. They say they've also reported the server to the FBI and to the California Attorney General's Office, since the database includes records from that state.

Security columnist Steve Ragan also wrote Monday that he was unable to track down the origin of the data, despite contacting a number of political organizations.

The apparent leak follows a data dispute earlier this month between the Hillary Clinton and Bernie Sanders presidential campaigns, after Democratic National Committee officials accused Sanders campaign workers of improperly taking advantage of a malfunction in a shared voter database to access confidential information stored by the Clinton campaign. The Sanders campaign has since fired the staffer said responsible for the breach.

Many states do provide some access to their voter data but generally limit its use and distribution to protect voter confidentiality, according to DataBreaches.net. The site's editor, who writes under the name Dissent, urged readers Monday to lobby their elected officials for stronger restrictions.

"It's too easy to upload a database with all of our contact details, our date of birth, and our political affiliations and voting history to the Internet where anyone can grab it," the DataBreaches editor wrote. "Tweet them a link to this article with #ProtectMyPrivacy."

'); window.ga('send', 'event', 'User' , 'Interaction' , this.key + ':ArticleView:newsletter:fail'); window.ga('rollup.send', 'event', 'User' , 'Interaction' , this.key + ':ArticleView:newsletter:fail'); if (index === data.response.errors.length - 1 ) { var successfulSubscribes = newsletters.diff(failedSubscribes); $(successfulSubscribes).each(function(index) { $form.parent('div').prepend(''); window.ga('send', 'event', 'User' , 'Interaction' , this + ':ArticleView:newsletter:success'); window.ga('rollup.send', 'event', 'User' , 'Interaction' , this +':ArticleView:newsletter:success'); }); } }); } else { $form.parent('div').html(''); $form.parent('div').removeClass('error'); window.ga('send', 'event', 'User' , 'Interaction' , 'fastcompany:ArticleView:newsletter:success'); window.ga('rollup.send', 'event', 'User' , 'Interaction' , 'fastcompany:ArticleView:newsletter:success'); window.ga('send', 'event', 'User' , 'Interaction' , 'events:ArticleView:newsletter:success'); window.ga('rollup.send', 'event', 'User' , 'Interaction' , 'events:ArticleView:newsletter:success'); } }; function _formFail ($form, error) { if (!$form) { return; } console.warn('error: ', error); // Use message from server response var message = JSON.parse(error.responseText); if (message.response && message.response.message) { message = message.response.message; // Error message not provided } else { message = 'Please enter a valid email address.'; } var $parent = $form.parent('div'); // Remove other errors first var $errors = $parent.find('.alert-box'); if ($errors) { $errors.fadeOut(300, function() { $(this).remove(); }); } if (message && (message.code === -100)||(message.code === 220)) { message = 'Please enter a valid email address.'; } // Append new errors $form.parent('div').prepend(''); $form.find('input').prop('disabled', false); }; }); })