An exposed database at background check company MC2 Data apparently leaked the data of more than 100 million Americans.
MC2, which runs websites like PrivateRecords.net, PrivateReports, PeopleSearcher. ThePeopleSearchers and PeopleSearchUSA, apparently left a database with 2.2TB of data unprotected and easily accessible on the internet, exposing more than 100 million records containing private information about U.S. citizens.
The new follows a breach earlier this year at background check service National Public Data that apparently leaked the data of nearly 3 billion people.
MC2 Data Leak Exposes a Massive Amount of PII
Cybernews researchers reported that the apparently misconfigured database exposed 106,316,633 records “containing private information about US citizens, raising serious concerns about privacy and safety. Estimates suggest that at least 100 million individuals were affected by this massive data leak.”
MC2 Data customers were also hit by the data leak, as the data of 2,319,873 subscribers to MC2 Data services was also leaked.
Background check services are used by employers, landlords and others to verify people’s background and gauge risk, and as such, they contain very sensitive data that shouldn’t be exposed or stolen. Services that leak such data also expose themselves to data protection and privacy regulatory consequences, civil lawsuits, and reputational and business damage.
Indeed, the data exposed by MC2 contained a lot of sensitive and personally identifiable information (PII), including:
- Names
- Emails
- IP addresses
- User agents
- Encrypted passwords
- Partial payment information
- Home addresses
- Dates of birth
- Phone numbers
- Property records
- Legal records
- Property records
- Family, relatives, neighbors data
- Employment history
Cybernews security researcher Aras Nazarovas said that “Background-checking services have always been problematic, as cybercriminals would often be able to purchase their services to gather data on their victims. While background-check services keep trying to prevent such cases, they haven’t been able to stop such use of their services completely. Such a leak is a goldmine for cybercriminals as it eases access and reduces risk for them, allowing them to misuse these detailed reports more effectively.”
MC2 Database Discovered in August
It’s not yet known if the data wound up in the hands of cybercriminals before the database was secured. The database was discovered on Aug. 7, per the Cybernews report:
“On August 7th, the Cybernews research team uncovered that the company left a database with 2.2TB of people’s data passwordless and easily accessible to anyone on the internet.”
The report says the researchers reached out to MC2 but never heard back, yet the database was eventually secured, raising the possibility that the data may not have wound up in the hands of cybercriminals:
“Cybernews reached out to MC2 Data multiple times but received no response. At the time of publishing, access to the database had been secured.”
Cybernews confirmed the possibility that the data may have been exposed but not stolen in a statement to The Cyber Express:
“Yes, the Cybernews research team discovered the open company database and contacted MC2 Data multiple times for official comment but received no response. According to our researchers, such a leak is a goldmine for cybercriminals as it eases access and reduces risk for them, allowing them to misuse these detailed reports more effectively. When this research was published, access to the database was secured, so we can’t say precisely whether the data ended up in the hands of cybercriminals.”
The massive data leak shows the importance of vulnerability services like Cyble’s ODIN scanner, which presently shows 337,000 exposed AWS buckets and 171,000 exposed Google Cloud buckets.
Published on Sept. 25, 2024 and updated on Sept. 26 to reflect the Cybernews statement
