Major data breach exposes database of 200 million users

(Image credit: Shutterstock)

Security analysts at CyberNews have discovered an unprotected database online which contains over 800GB of personal information including detailed records on over 200m US users.

The records stored in the unsecured database contained the full names and titles of the exposed individuals, email addresses, phone numbers, dates of birth, credit ratings, home addresses, demographics including numbers of children and their genders, detailed mortgage and tax records and other personally identifiable information.

Based on its analysis of the database, CyberNews believes that much of the data it contained may have originated from the US Census Bureau. This is because certain codes used in the database were either specific to the bureau or are used in the bureau's classifications.

The database in question is located in the US and was hosted on a Google Cloud server which was exposed for an unknown period. At the beginning of March, all of the records contained in the database were wiped by an unidentified party. However, the empty database is still online and is accessible without any type of authentication.

Exposed records

CyberNews also discovered two other folders which were unrelated to the personal records found in the main folder on the database. These folders contained emergency call logs from a fire department in the US as well as a list of 74 bike share stations that is now owned by Lyft.

While the two smaller folders did not contain any personal information, the call logs from the fire department included dates, times, locations and other emergency call metadata from as far back as 2010. These two seemingly unrelated data sets may indicate that the database was a collection of stolen data or was used by several parties simultaneously.

However, the security analysts suspect that the database belonged to a data marketing firm or a credit card company based on how the data in the main folder was structured.

Although the database has since been wiped, it contents could have been downloaded by a malicious actor and CyberNews explained how those whose data has been exposed could be affected, saying:

“If the data was stolen by a malicious actor, the consequences for more than 200 million US users may be immense. Merely selling these records on darknet marketplaces at the below-average asking price of $1 per record would net the seller about $200 million. If utilized by cybercriminals to its full destructive potential, however, this data leak can result in untold billions in damages for defrauded users.”

If you're worried that your data may have been exposed, you can check here to see if it was.

  • We've also highlighted the best VPN services
Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Latest in Security
China
Notorious Chinese hackers FamousSparrow allegedly target US financial firms
A digital representation of a lock
NYU website defaced as hacker leaks info on a million students
NHS
NHS IT supplier hit with major fine following ransomware attack
Data leak
Top home hardware firm data leak could see millions of customers affected
Representational image depecting cybersecurity protection
Third-party security issues could be the biggest threat facing your business
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools
Latest in News
An image of the Nintendo Switch 2
Nintendo Switch 2 pre-orders will start on April 2 according to Best Buy Canada
Person printing
Microsoft’s latest Windows 11 update exorcises possessed printers that spewed out pages of random characters
Pro-Ject A1.2 in black, playing a vinyl record in a hi-fi listening room
Pro-Ject's new fully-automatic turntable could be the buy of Record Store Day 2025
Intergalactic: The Heretic Prophet
Intergalactic: The Heretic Prophet reportedly won't release until after 2026, as Neil Druckmann says that staff 'are playing it at the office' right now - but I don't think I can wait that long
Screenshot from action RPG soulslike Lies of P
Lies of P Overture won't elaborate on the game's eyebrow-raising post-credits twist, and I think that's good news
Nintendo Switch 2
The Switch 2 launching with a Mario Kart game 'is very unlike Nintendo' compared to the original Switch releasing with Breath of the Wild, says former marketing leads: 'That's what's gonna make you want to buy the new hardware'