Bottom line: Three unsecured Elasticsearch servers have exposed the personal data of nearly 57 million people in the US. The 73GB data leak was discovered on November 24 by a researcher at HackenProof during a routine audit using the Shodan search engine. However, the wide-open server was first indexed by Shodan on November 14.
One of the misconfigured servers contained records on 56,934,021 US citizens. The personal information that was leaked included first and last names, employers, job titles, email and street addresses, states, zip codes, phone numbers, and IP addresses.
A second database contained more of a “Yellow Pages” directory, listing primarily businesses. It contained more than 25 million entries. The exposed data included the name, company details, zip code, address, carrier route, latitude and longitude, census tract, phone number, web address, email, employee count, revenue numbers, NAICS codes, SIC codes, and more.
HackenProof was unable to determine the source of the leak, but an analysis of the data fields showed a structural resemblance to those used by Data & Leads, a data management company. Researchers reached out to the firm but received no response. However, shortly after emailing Data & Leads and pushing its report, the company's website went offline. As of this writing, the site is still unavailable.
Moreover, HackenProof reports that the databases are no longer exposed to the public. The servers were publically accessible for at least two weeks according to when Shodan first indexed them, but they could have been wide-open for even longer.
Without confirmation from the suspected company, HackenProof turned the recovered information over to data breech indexing site Have I Been Pwned (HIBP) in the interest of the public and responsible disclosure. Those concerned that they may have been exposed can perform a search on the HIBP website and take appropriate measures if necessary.