Security

Why is a 22GB database containing 56 million US folks' personal details sitting on the open internet using a Chinese IP address? Seriously, why?

If CheckPeople could take a look at this, that would be great


Exclusive A database containing the personal details of 56.25m US residents – from names and home addresses to phone numbers and ages – has been found on the public internet, served from a computer with a Chinese IP address, bizarrely enough.

The information silo appears to have been obtained somehow from Florida-based CheckPeople.com, which is a typical people-finder website: for a fee, you can enter someone's name, and it will look up their current and past addresses, phone numbers, email addresses, names of relatives, and even criminal records in some cases, all presumably gathered from public records.

However, all of this information is not only sitting in one place for spammers, miscreants, and other netizens to download in bulk, it's being served from an IP address associated with Alibaba's web hosting wing in Hangzhou, east China, for reasons unknown. It is a perfect illustration that not only is this sort of personal information in circulation, it's also in the hands of foreign adversaries.

A white-hat hacker operating under the handle Lynx discovered the trove online, and tipped off The Register. He told us he found the 22GB database exposed on the internet, including metadata that links the collection to CheckPeople.com. We have withheld further details for privacy protection reasons.

The repository's contents are likely scraped from public records, though together provide rather detailed profiles on tens of millions of folks in America. Basically, CheckPeople.com has done the hard work of aggregating public personal records, and this exposed NoSQL database makes that info even easier to crawl and process.

"In and of itself, the data is harmless, it's public data, but bundled like this I think it could actually be worth a lot to some people," Lynx told El Reg this week. "That's what scares me, when people start combining these with other datasets."

While CheckPeople.com also offers criminal record searches, Lynx did not find that information among the cache.

AWS has new tool for those leaky S3 buckets so, yeah, you might need to reconfigure a few things

READ MORE

The Register has repeatedly attempted to reach a human at CheckPeople to alert it to the leak, and the site's administrators have yet to respond. Its customer-support call center directed us to email the company, although our messages were subsequently ignored, it appears. Similarly, Lynx told us he has been unable to get hold of anyone beyond a third-party call center worker.

You would think a company trafficking in personal records would care a bit more about being able to be reached.

Whether this is data somehow siphoned from CheckPeople by a Chinese outfit and dumped lazily online, or a CheckPeople server hosted in China, is unclear.

However, under the laws of the People's Republic, government agencies can more or less search any machine at any time in the Middle Kingdom, meaning profiles on 56.5 million American residents appear to be at the fingertips of China, thanks to CheckPeople – we assume Beijing has files on all of us, though, to be fair.

Again, repeated attempts to contact CheckPeople for its side of the story were unsuccessful. Should the company decide to get in touch, we will update this story as needed. We have also pinged Alibaba to alert it to the exposed database, should it care about Americans' privacy. ®

Updated to add

An attorney for CheckPeople.com told us on Friday that the business is probing the matter:

CheckPeople is unaware of any database of information hosted in China or through Alibaba. CheckPeople’s records are stored in the United States on secure servers. However, CheckPeople takes security issues very seriously and is investigating this matter.

We understand the database has been removed from the Chinese server. Redacted screenshots of the records can be seen here.

Send us news
169 Comments
Get our Security newsletter

What links AMD CPU guru Jim Keller, an AI chip upstart, and SiFive? This vector-wrangling 64-bit RISC-V processor

Stressing the ex in x86

Canadian AI chip startup Tenstorrent, which is headed by former top AMD engineers, has picked one of SiFive's latest RISC-V CPU designs for its unconventional machine-learning processors.

Specifically, Tenstorrent will license SiFive's Intelligence X280 processor cores to slot them into its homegrown AI training and inference chips alongside its own Tensix cores.

The X280 is a 64-bit multi-core-capable RISC-V CPU design that supports the open-source instruction set architecture's vector math extension. That extension is expected to prove useful in accelerating machine-learning applications.

Continue reading

10 years later, Chrome OS starts to look like a proper OS with hardware diagnostics and the ability to scan documents

Are you really going to replace that battery, though, kids?

Whether it's a chilling situation or a welcome one is up for debate, but what started as an attempt to pare down an operating system to just the browser has become something more fully fledged, as the latest update to 10-year-old* Chrome OS demonstrates.

The newest version of the Linux-based operating system, Chrome OS 90, has been packed with features you'd reasonably expect from a first-class operating system. First on the list: the ability to monitor battery health as well as CPU and memory usage.

On Chrome OS 90, this information has been tucked away in a new Diagnostics app, which can also perform routine performance and health tests to determine whether the machine has an underlying hardware problem.

Continue reading

Capgemini scores £150m contract to help Student Loan Company overcome its IT problems 5 years after £50m superfail

Fragmented, inflexible estate? Reach for French outsourcers

Capgemini has won a £150m contract with the Student Loan Company (SLC) as the non-profit looks to write the next chapter in a troubled history with information technology.

The outsourcing and consultancy firm is to become a "Strategic Partner for Platform Delivery and Technology Services" to the non-departmental public body, according to a tender notice. It is expected "to deliver a wide range of services across our Platform Delivery and Technology Services area with the SLC Technology Group".

The contract started on 15 April 2021 and is set to run until 14 April 2028, the document said.

Continue reading

Sucks to be you, any aliens living anywhere near Proxima Centauri's record-smashing solar flare

Our stellar neighbor's biggest-ever belch would frazzle us Earthlings

Astronomers have described the most energetic solar flare yet detected from Proxima Centauri, the Sun's closest stellar neighbor.

It was a cosmic belch so intense, it's now pretty clear the star cannot provide the right conditions to support familiar DNA-based life on its exoplanets.

On May 1, 2019, researchers led by the University of Colorado, Boulder, spotted a sudden burst of light erupting from Proxima Centauri unlike any other flare previously seen before.

Continue reading

Sure, your app is crap, but Windows won't tell. Promise

One billboard outside Blairsville, Georgia

Bork!Bork!Bork! Windows for Billboards appears to be a thing and, judging by this example of the breed, it is a little under the weather.

Unless, perhaps, the billboard spotted by Register reader Paul last month is a bit of snark directed at Redmond by an opportunistic arch-rival. What better way to demonstrate the occasional wobbliness of Windows than by flinging up a truck-sized error dialog for all to see?

More likely it is a sign that there are some places where Windows simply doesn't belong, and smart signage is one of them.

Continue reading

But can it run Avid? The Reg hands shiny new M1 MacBook to video production pro, who beats it with Bender, Handbrake, and ... Hypercard?

He was there the day Steve Jobs moved off Power PC to Intel, and says the Arm transition looks better

Review I was three-quarters of the way through the third rewrite of this review before I remembered I was actually at Apple's WorldWide Developer Conference in 2005 when Steve Jobs got up and said: "Yep, we're going to Intel."

I mention that memory because the last Apple chip transition was quite a long time ago now. Maybe you've blanked out some details, but I'm confident you can't say it left any permanent scars.

If we're honest, decades of continually improving silicon speeds mean the release of a faster computer shouldn't be noteworthy. Perhaps the fact that this continues to fill us with wonder should be.

Continue reading

Apple, you've AirDrop'd the ball: Academics detail ways to leak contact info of nearby iThings for spear-phishing

Too bad there's no suggested solution... oh, wait

Apple's AirDrop has a couple of potentially annoying privacy weaknesses that Cupertino is so far refusing to address even though a solution has been offered.

A bug-hunting team at Technische Universität Darmstadt in Germany reverse engineered AirDrop – iOS and macOS's ad-hoc over-the-air file-sharing service – and found that senders and receivers may leak their contact details in the process. More than a billion people are said to be at risk of this, in that there are now more than a billion active iPhones at any one time. Despite the team alerting Apple to the oversight in May 2019, and suggesting ways to address it last October, the iGiant hasn't issued a fix.

"We started looking at the protocols in 2017," Dr Milan Stute at the uni's Secure Mobile Networking Lab told The Register on Wednesday. "We reverse engineered a lot of stuff and found two major issues."

Continue reading

In 2020, VMware said its remote work kit was brilliant. Now it says you need its new stuff to do it right

Improves integration and maturity, not quite the new-buzzword-worthy step-change Virtzilla wants

Throughout 2020, VMware told anyone who would listen that its end-user compute products enabled work from anywhere, on any device, with marvellous security, and were therefore just the thing to keep your organisation operating safely during lockdowns and whatever came next.

But now the virtualization giant wants you to buy more services to achieve the same outcome, with more sophistication.

Which seems odd because in March last year, VMware shared stories of customers who felt that the company’s Workspace ONE application publishing suite let their employees work from anywhere in a zero-trust environment.

Continue reading

Microsoft loves Linux – as in, it loves Linux users running Linux desktop apps on Windows PCs

Come inside, penguinistas, install that WSL GUI preview, yes, open source is totally winning here

Video Microsoft this week released a preview version of Windows Subsystem for Linux GUI, or WSLg, which provides a way to run Linux applications with graphic interfaces on Windows devices.

Foretold last year at the software titan's virtual Build 2020 conference, WSLg takes the previously released WSL 2 beyond Linux command line tools and apps and makes it the foundation of a functional Windows/Linux desktop chimera.

"You can use this feature to run any GUI application that might only exist in Linux, or to run your own applications or testing in a Linux environment," explained Craig Loewen, program manager for the Windows Developer Platform at Microsoft, in a blog post.

Continue reading

Asian buyers set for security spending spree to catch up on shabby strategies

China already growing even faster than 13% regional acceleration

Asian businesses are set for a security spending spree, according to analyst firm IDC.

The firm's new Worldwide Semiannual Security Spending Guide for 2021 has tipped the APAC region to spend US$23.1bn on security products and services in 2021, an increase of 12.6 per cent. Things are only getting better for vendors, as the analyst predicts five-year compound annual growth rate of 13.3 per cent over the period 2019-24, with spend in the last year totalling US$35bn.

Simon Piff, IDC’s APAC veep for trust, security, and blockchain research, suggested local businesses are playing security catch-up.

Continue reading

Huawei wins big intellectual property case in Europe – against fashion house Chanel

Court finds linked 'U' used on Smart Home app can't be confused with linked 'C' used on overpriced tat

Logowatch Huawei has had a big intellectual property win in Europe, defeating an action brought by fashion house Chanel over a new logo it introduced in 2017.

The Chinese company filed an application for the new logo in 2017 and described it as applicable to “Software and mobile applications to control and manage smart home devices and appliances, routers.”

Here is said mark.

Continue reading