The social platform for the US and British military may have exposed more than a million records
- An exposed database of British and American soldiers has been found
- The database contained more than 1 million records and sensitive PII
- The database has since had limited access, but it is unknown how long it has been exposed
A top cybersecurity researcher has exposed an unprotected online database containing sensitive PII and data belonging to members of the US and UK armed forces.
Jeremiah Fowler’s article, shared with VPNMentoroutlines how the database belonged to Forces Penpals, a dating and social networking service for members of the armed forces, and contained 1,187,296 records.
Much of the data apparently includes the full names, addresses, social security numbers of US personnel, national insurance numbers and service numbers of British personnel, along with military personnel’s rank, branch of service, dates and locations.
Armed Forces data remains visible
The database was discovered by Fowler without encryption or password protection, meaning anyone with an internet connection could access the database.
Fowler informed Forces Penpals of the exposure and the database was protected the next day. However, it is unknown how long the database was exposed. Fowler noted that “only an internal forensic audit could identify additional access or potentially suspicious activity. ”
Forces Penpals, which claims to have more than 290,000 members, both civilian and military, responded to the announcement, explaining: “Thank you for contacting us. It is much appreciated. It appears that there was an encoding error where the documents went to the wrong bucket and the directory listing was enabled for debugging and never disabled. The photos are public anyway, so that is not a problem, but the documents should certainly not be public.”
The level of detail in some documents would provide a malicious user with enough information to launch an identity theft or social engineering campaign against exposed users.
Additionally, Fowler says, some of the exposed data in the database, such as ranks, security clearance levels and locations, could have national security implications.
Earlier this year, Chinese state-sponsored threat actors reportedly breached a third-party contractor for the UK Ministry of Defense and accessed the data of armed forces personnel, with a similar attack attempted to steal data from ex-RAF pilots to steal, also attributed to Chinese state-sponsored groups.