California emblem

The details of over 19 million California voters were left exposed online in an unsecured MongoDB database and were later held for ransom, according to researchers from the Kromtech Security Center.

Researchers say they found the voter registration data inside a database that was left publicly accessible online. Despite their best efforts, Bob Diachenko, Kromtech's Chief Communication Officer, says the company couldn't identify the owner of the database and notify them of the data's exposure.

Database held for ransom

The database was later caught up in the ongoing wave of MongoDB ransom attacks. A hacker used an automated script to scan the Internet for open MongoDB databases, wiped its content, and left a ransom demand behind.

The ransom demand was for 0.2 Bitcoin, worth around $3,500 today. The Bitcoin address associated with this account showed at least one ransom payment, dated November 26. Ransom groups often reused Bitcoin addresses, so this may be related to another ransomed database.

This type of ransom attack has been happening against MongoDB servers since December 2016, and they have picked up again in September 2017 after going quiet over the summer. Other ransom attacks also targeted ElasticSearch, Hadoop, CouchDB, Cassandra, and MySQL servers.

Unclear who the database belonged to, who viewed it

It is unclear if the hacker made a copy of the data before deleting the voter registration database. In previous ransom attacks against MongoDB servers, attackers sometimes made copies, while other groups did not.

It is also unclear if other hacker groups found and made a copy of the voter registration database before it was deleted.

Diachenko says the database was deployed online on May 31st, 2017, but he could not say if the database belonged to an authorized party (state agency or contractor). The database could have belonged to another hacker as well, and the data could have been stolen from the state's real database.

Sensitive information possibly exposed

As for what was inside the database, Kromtech says:

The database named 'cool_db' contained two collections and was available for anybody with Internet connection to view and/or edit. One was a manually crafted set of voter registration data for a local district and the other appeared to contain the entire state of California with 19,264,123 records, all open for public access.

The first collection was only 4GB in size, contained fewer records, but with extensive information on each entry. Kromtech says the data was structured with the following rows:

City: 
Zip: 
StreetType: 
LastName: 
HouseFractionNumber
RegistrationMethodCode 
State: CA 
Phone4Exchng: 
MailingState: CA
Email: 
Phone3Area:  
Phone3NumPart:  
Status: A 
Phone4Area: 
StreetName: 
FirstName:
StreetDirSuffix: 
RegistrantId:
Phone1NumPart: 
UnitType:  
Phone2NumPart: 
VoterStatusReasonCodeDesc: Voter Requested 
Precinct: 
PrecinctNumber: 
PlaceOfBirth: 
Phone1Exchng:
AddressNumberSuffix: 
ExtractDate: 2017-05-31
Language: ENG 
Dob: 
Gender: 
MailingCountry:
AssistanceRequestFlag 
MailingCity: 
MiddleName:
AddressNumber:  
StreetDirPrefix:  
RegistrationDate: 
PartyCode: 
Phone1Area:  
Suffix:
NonStandardAddress: 
Phone4NumPart:  
CountyCode: 
MailingAdd3:  
MailingAdd2:  
MailingAdd1:
UnitNumber:  
Phone2Exchng: 
NamePrefix:  
_id: ObjectId 
MailingZip5: 
Phone2Area: 

The second collection was 22GB in size and contained the full set of California registered voters, but with less information on each entry. There were 409,449,416 records in total on 19,264,123 people.

ExtractDate: '2017-05-31', 
'District': 
'RegistrantId': 
'CountyCode':, 
'DistrictName': 
'_id': ObjectId

Back in June, security firm UpGuard found an Amazon S3 bucket containing the details of 198 million US voters.