120 Million American Households ExposedA security researcher recently published his findings of a massive, unprotected database that contained a treasure trove of data on more than 120 million American households. If this seems like déjà vu, it’s probably because this is eerily similar to a story we reported in June that detailed the finding of an unprotected database which held data on more than 200 million voters — down to the same security researcher, Chris Vickery of cyber risk company UpGuard, blowing the whistle. The exposed data in question was stored on a server belonging to online analytics and marketing firm Alteryx, using information purchased from credit bureau Experian. Why was this data accessible in the first place, what kind of information did it contain and are you at risk? Keep reading to find answers to these questions and more.

Anyone could access the database without special credentials

Just like the aforementioned RNC database debacle, the epicenter of this breach was an Amazon Web Service storage bucket, which was not configured to block access by outsiders. Instead, anyone with an Amazon Web Service cloud storage account (which can be set up for free) and the right URL could download all of the data on a whim. That’s how Vickery was able to access it on Oct. 6, 2017, and as it is unknown how long the information was unsecured, there’s no telling who else could have also downloaded the contents. Upon notification of the problem, Alteryx secured the account in question.

What kind of consumer information was in the database?

The files contained within the storage bucket included a database with information on more than 120 million American households. There were approximately 248 data fields per household, which contained all sorts of details ranging from addresses, phone numbers and ethnicity to interests, charitable contributions, number of children in the household, mortgage information and much more. You can view the entire list on the UpGuard post detailing the discovery. Due to the name ConsumerView being included in the files, it’s likely that some of the information was purchased by Alteryx from Experian, which sells consumer data to marketing companies and other corporate clients. Both Experian and Alteryx stated to Forbes that no personal identifying information (PII) such as names and social security numbers, was included. This is a positive, for sure, but it doesn’t mean that this information in the wrong hands couldn’t be majorly exploited or used for a less-than-savory purpose. On its end, Experian has been sure to let querying reporters know that it was Alteryx that failed to secure the information, likely wanting to side-step away from any potential Equifax comparisons.

Alteryx claims the information is harmless, security experts disagree

Both Alteryx as well as Experian have stated that the exposed data does not pose any risk of identity theft because it is purely used for analytical purposes and doesn’t directly identify any individuals. However, Vickery disagreed, stating that the data could be cross-referenced with data from other leaks and public records (such as voter registration) to learn more about the individuals profiled and piece together who they are. Consumers have become more aware this year than ever of the amount of data that is being collected, shared and sold about them by companies like Alteryx that they’ve never even heard of before. In an instance like this, there isn’t much you can do to directly help yourself, but it is a great reminder to focus on enhancing your personal security through measures such as reducing your attack surface, tightening your online privacy settings and thinking twice before sharing information online or offline.

If you do want an extra set of eyes on your information, you may want to consider signing up for an identity theft protection service. These services scan public records and Internet black market websites to let you know if, when and where your information appeared, alerting you to potential identity theft. On top of that, most of the services we review also monitor your credit reports, which means you’ll also be in the know if someone uses your personal information to open a credit account in your name. Visit our identity theft protection reviews to find the right service for your needs and budget.

Want to know more about this breach? Follow our privacy blog for news, tips and information on the latest issues impacting your privacy and how you can stay on top of them.