All news with #pii tag

AggregateIQ: Exposed Targeting Tools 'Monarch' and Saga

🔍 AggregateIQ's public repository exposed sophisticated ad and tracking tools linked to political campaigns. The Saga suite automates Facebook ad scraping, performance reconciliation, and asset backup, while Monarch provides pixel-based tracking (Jewel, Peasant) and a microservice stack (Peon) for event ingestion and enrichment. The codebase included credentials and configs enabling fine-grained targeting, though working user datasets were not present. The exposure raises significant privacy and electoral concerns.

LocalBlox S3 Misconfiguration Exposes 48M Records Publicly

🔓 UpGuard discovered an Amazon S3 bucket owned by LocalBlox that was publicly accessible, exposing a 1.2 TB ndjson archive containing approximately 48 million personal profiles. The dataset aggregated names, addresses, dates of birth, scraped LinkedIn and Facebook content, Twitter handles, and other identifiers used to build psychographic profiles. UpGuard notified LocalBlox and the bucket was secured on February 28, 2018. The incident highlights how a simple cloud misconfiguration can compromise consumer privacy and enable targeted influence at scale.

Marketing PR Platform Exposed Data of Hundreds of Thousands

🔓 UpGuard identified an Amazon S3 bucket tied to iPR Software that publicly exposed over a terabyte of files, including a 17 GB MongoDB backup. The collection contained 477,000 media contacts, approximately 35,000 hashed passwords, client marketing assets, internal PR strategy documents, and credentials for Google, Twitter, and a MongoDB host. UpGuard notified iPR in October 2019; public access was removed in late November after follow-up and media engagement.

Open rsync Repository Exposes 42,000+ Patients' Records

🔒 UpGuard discovered a publicly accessible rsync repository tied to Cohen Bergman Klepper Romano Mds PC that exposed records for more than 42,000 patients and over three million medical notes. The exposed data included patient and physician names, Social Security numbers, dates of birth, phone numbers, email and insurance information, along with an Outlook .pst and a virtual hard drive containing staff home addresses and family details. UpGuard notified the affected parties and Accenture, and the repository was secured after follow-up, underscoring failures in basic access controls and the need for faster remediation.

Spartan Technology S3 Exposure of South Carolina Arrests

🔒 UpGuard Research discovered a publicly accessible AWS S3 bucket containing roughly 60 GB of MSSQL backups uploaded by a Spartan Technology employee, exposing South Carolina justice-system records spanning 2008–2018. The dataset included about 5.2 million arrest-event rows, tens of millions of related records, and sensitive PII such as names, dates of birth, driver’s license numbers and roughly 17,000 Social Security numbers. Permissions included the "AuthenticatedUsers" group, enabling broad access; Spartan removed public access the same day after notification.

Misconfigured Amazon S3 Exposed Tea Party Campaign Data

🔓 On August 28, 2018 the UpGuard Cyber Risk team discovered a publicly readable Amazon S3 bucket named tppcf containing roughly 2GB of campaign files belonging to the Tea Party Patriots Citizens Fund (TPPCF). The data included call lists with full names and phone numbers for about 527,000 individuals, along with strategy documents, call scripts, and marketing assets. UpGuard notified TPPCF on October 1; permissions were briefly set to allow global authenticated users and then removed by October 5. The incident illustrates how cloud misconfiguration can expose sensitive political microtargeting data and create significant privacy risks.

Understanding Why Your Personal Data Is So Valuable

🔒 In this episode of Unlocked 403, host Becks and ESET Global Security Advisor Jake Moore examine how everyday online activity becomes a marketable commodity. They explain how social media, apps and websites harvest, analyze and monetize both first- and third-party data, and why metadata often reveals more than expected. The conversation highlights risks for children and the long-term consequences of pervasive collection. Jake shares practical tips for tightening app privacy settings, limiting permissions and embracing data minimization to better protect personal information.

Massive CENTCOM/PACOM Cloud Leak Exposes Billions of Data

🔍 UpGuard discovered three publicly accessible Amazon S3 buckets associated with CENTCOM and PACOM that contained a vast corpus of scraped internet posts. One bucket alone held an estimated 1.8 billion records spanning 2009–2017, including news articles, forum threads, comment sections and social media posts. Configuration files and folders referenced a contractor, VendorX, and projects named Outpost and Coral, while Lucene indexes indicated the data was organized for search. UpGuard notified the Defense Department and the buckets were secured.

Data Warehouse Vendor Publicly Exposed a Terabyte of Backups

🔒 An UpGuard researcher discovered three publicly accessible Amazon S3 buckets tied to Attunity, a data integration vendor now part of Qlik. One bucket contained a sampled terabyte of backups, including roughly 750 GB of compressed email archives and OneDrive backups with system credentials, project documents, client lists, and employee PII. The researcher notified the vendor on May 16, 2019, and public access was removed the following day. The incident highlights how backup misconfigurations can expose credentials and sensitive corporate and customer data.

Exposed rsync Server Leaked Oklahoma Securities Data

🔓 UpGuard's Data Breach Research team discovered and secured a publicly accessible rsync storage server containing data belonging to the Oklahoma Department of Securities. The exposure included approximately 3 TB and millions of files spanning 1986–2016, including email archives, virtual machine images, system credentials, and personal records. UpGuard identified the host via Shodan, notified state officials, and public access was removed the same day.

Misconfigured rsync Leak Exposes One Million Education Leads

🔓 UpGuard's Cyber Risk Team discovered an exposed rsync repository tied to subsidiaries of Blue Chair LLC, including Target Direct Marketing, that revealed PII for over one million individuals seeking higher education information. The publicly accessible server included daily MySQL backups and website files, with names, emails, phone numbers and education-related lead fields. The exposure resulted from an rsync misconfiguration and highlights the need for strong vendor risk controls, data retention policies and restricted backup access.

Exposed Facebook User Data from Third-Party Apps Found

🔒Two exposed third-party Facebook app datasets were discovered publicly accessible, including a 146 GB dump from Cultura Colectiva containing over 540 million records of comments, likes, reactions, account names and Facebook IDs. A separate At the Pool backup held profile fields and plaintext passwords for roughly 22,000 users. Both data sets resided in publicly readable Amazon S3 buckets, illustrating how misconfigured storage and long-lived third-party copies of user data create persistent leakage risk.

Cloud Leak Exposes Millions of Dow Jones Customer Records

🔒 A cloud-based file repository owned by Dow Jones & Company was discovered publicly accessible, exposing sensitive personal and financial details for millions of customers. UpGuard researcher Chris Vickery located an AWS S3 bucket under the subdomain dj-skynet on May 30, 2017; Dow Jones secured the repository on June 6 after notification. Exposed material included names, addresses, account identifiers, login emails, the last four digits of credit cards, and 1.6 million entries tied to Dow Jones Risk and Compliance products, illustrating the dangers of cloud misconfiguration.

The RNC Files: Largest US Voter Data Exposure Report

🔓 This UpGuard report describes a publicly accessible Amazon S3 data warehouse owned by Deep Root Analytics that contained 1.1 TB of unsecured files and linked datasets from Data Trust and TargetPoint. The exposed records included personally identifiable information for up to 198 million US voters alongside modeled political attributes and scoring. UpGuard discovered the bucket on June 12, 2017; Deep Root secured it after notification, and the report details discovery, contents, and implications for election data privacy.

Alteryx Cloud Leak Exposes Data on 123M Households

🔒 UpGuard discovered an Amazon S3 bucket at the subdomain 'alteryxdownload' that was misconfigured to allow any AWS 'Authenticated Users' to download its contents. The repository included Alteryx software and a 36 GB ConsumerView dataset from Experian containing 123 million household records and 248 fields. A separate file held public 2010 US Census data. Alteryx secured the bucket after notification, underscoring vendor and cloud configuration risk.

Task scams: Don't pay to get paid — warning for jobseekers

⚠️ Task scams are rising employment frauds that lure jobseekers with easy micro-tasks and visible “earnings,” then pressure victims to pay to unlock funds. The schemes use gamification, spoofed sites and messaging apps, often asking for cryptocurrency deposits or “level-up” fees. Victims see initial fake gains, then lose payments with no recourse. Always verify recruiters and never pay upfront.

Google Open-Sources ZKP Libraries for Age Assurance

🛡️ Google has open sourced its Zero-Knowledge Proof (ZKP) libraries to accelerate privacy-preserving digital ID and age-assurance solutions. Developed with Sparkasse, the release enables people to prove attributes (for example, that they are over 18) without sharing any other personal data. By making a performant ZKP codebase available, Google aims to help developers, researchers, businesses, and governments integrate privacy-first flows, including use cases for the European EUDI Wallet.

Secure Age Assurance for Europe and Global Internet

🔒 Google outlines a privacy-forward approach to online age assurance that emphasizes interoperability and targeted protections for children, teens, and parents. The post highlights the new Credential Manager API on Android, which enables sites and apps to request only necessary age information from trusted credential holders. Backed by zero-knowledge proofs, the system can verify age thresholds (for example, over 18) without exposing identity or additional personal data. Google urges standards development and cross-sector collaboration to extend and adopt this secure infrastructure.

Google survey: U.S. consumers report rising online scams

🔒 Google’s latest survey with Morning Consult shows U.S. consumers increasingly aware of online scams and taking new protective steps. Over 60% report an uptick in scams and one-third say they experienced a data breach, with texts and email the most common vectors. The report highlights generational differences in sign-in preferences — older adults rely on passwords while Gen Z favors passkeys and social sign-ins — and recommends Google Password Manager, 2‑Step Verification and modern authentication methods.

Student Loan Servicer Breach Exposes 2.5M Consumer Records

🔒 Nelnet Servicing, the servicing and portal provider for EdFinancial and the Oklahoma Student Loan Authority, disclosed a breach affecting 2,501,324 account holders. The incident exposed names, home addresses, email addresses, phone numbers and social security numbers, but did not include users' financial account data. Nelnet said its cybersecurity team secured systems, engaged third‑party forensic experts, and offered two years of credit monitoring, credit reports and up to $1 million in identity theft insurance. Security specialists warned the exposed PII could be used in targeted phishing and social‑engineering campaigns tied to student loan forgiveness news.