10 billion records, including personal details, exposed by unsecured databases

online security
(Image credit: Shutterstock)

Nearly 10,000 insecure databases with more than 10 billion records that could be accessed by anyone online have been discovered by an unnamed security researcher.

Password manager NordPass -- part of the NordVPN security brand -- claims that the internet is “swirling with exposed databases” after the researcher it worked with over the past year discovered 9,517 exposed databases that contained 10,431,304,898 data entries. Some of the entries included personal details such as email addresses, phone numbers and account logins.

Global data leaks

These insecure databases are based in 20 nations all over the world, with China having the highest number of unsecured online databases: almost 4,000 insecure databases estimated to hold more than 2.6 billion records. 

The country with the second-highest number of unsecured databases is the United States, which has almost 3,000 databases exposing 2.3 billion data entries.

India came third on the list, with around 520 unsecured databases with around 4,878,723 data entries that could have been freely accessed on the internet. 

The rest of the Top 10 countries on NordPass' list of exposed databases were Germany (361 databases), Singapore (355 databases), France (247 databases), South Africa (239 databases), The Netherlands (149 databases), Russia (148 databases) and the United Kingdom (140 databases).

Tom's Guide could not verify any of these numbers. NordPass did not provide any information on how many of these 10 billion records might have contained sensitive information such as passwords, or how many exposed passwords were encrypted.

The fact that the security researcher is not named -- he or she is described by NordPass as a "white hat hacker" who has "requested to stay anonymous" -- means we have to take NordPass at its word.

The researcher conducted the study over a year, from June 2019 to June 2020, so some of the exposed databases cited may since have been secured or taken offline.

Potentially hugely damaging 

NordPass explained that “some of this data might be useless and only used for testing", but warned that “much of it could be damaging if exposed”. (It didn't say exactly how much.)

The firm pointed out that many of the biggest data breaches to happen over the past year involved insecure databases. It said in a media release: “For example, millions of Facebook records were exposed on a public Amazon server. 

“In another incident, an unsecured database exposed information of 80 million US households. The data included victims’ addresses, income, and marital status. A rehabilitation clinic in the US also suffered from a data leak, over which nearly 150,000 patients had their personal information exposed.”

What’s particularly worrying about insecure databases is that they can be easily accessed on the internet and subsequently abused by threat actors.

NordPass said: “While the idea of searching for exposed databases may seem complex, the process itself is quite straightforward. 

“Search engines like Censys or Shodan scan the web constantly and let anyone view open databases in just a few clicks. If the database managers used the default logins, getting into one would be a piece of cake.”

What to do 

Jake Moore, a security specialist at ESET, told Tom's Guide a number of simple steps that you can take to protect yourself from data leaks. 

“This comes as yet another reminder to not reuse passwords as it can never be assured that your data will be kept secure forever," Moore told us. “The best place to start is by downloading a reputable password manager and throw away all those reused passwords you may have – even for those throwaway accounts. 

"Once this has been implemented into your daily routine, it is worth noting that when complemented with two factor authentication, 2FA, your accounts will be even better protected even if the password is ever compromised. 2FA can be found in many apps and account settings and is extremely simple to set up.”

  • More: Stay anonymous without the spend with a cheap VPN

Nicholas Fearn is a freelance technology journalist and copywriter from the Welsh valleys. His work has appeared in publications such as the FT, the Independent, the Daily Telegraph, The Next Web, T3, Android Central, Computer Weekly, and many others. He also happens to be a diehard Mariah Carey fan!