Business to business marketing company OneMoreLead has been found to have exposed the records of over 63 million U.S. citizens on the internet via a misconfigured database.

The data was found on an unsecured database that the company had left completely open by Ran Locar and Noam Rotem, researchers at vpnMentor. The database had 126 million records and included names, job titles, email addresses, physical addresses, phone numbers, IP addresses and employer names.

Notably, the records included the private data of government and police employees. The researchers note that not only is that data a potential goldmine for hackers, it’s also highly appealing to foreign governments as well.

“Cybercriminals could easily use this information to pursue financial fraud against everyone exposed,” the researchers noted. “Simultaneously, they could use the information to build effective phishing campaigns, posing as a person’s employer, the government, and other trusted organizations.”

The origins of OneMoreLead are also questionable. The company is said to be new and it has no known clients. That said, a Who.is lookup has the domain name being registered in 2016, but likewise, there’s no company registered by that name in the U.S. Securities and Exchange Commission company database either.

The researchers suggest that given that the company appears to be new, the data is likely linked to a business being previously operated.

“This is a huge amount of data to be collected by or stored by such a new organization and something seems odd about the ordeal,” Erich Kron, security awareness advocate at security awareness training company KnowBe4 Inc. told SiliconANGLE. “To have this sort of data sitting exposed on an unfinished website of a company showing no customers and with no way to sign up for their services should really raise some eyebrows around the source of this data”.

“Organizations have a responsibility to protect sensitive information whenever it is collected and regardless of the amount of data collected,” Kron explained. “The data referenced here is a gold mine for cybercriminals putting together social engineering campaigns to facilitate scams, identity theft and even spread malware and ransomware.”

“By using data such as this, attackers can make phishing emails or text messages seem like they are coming from someone they are familiar with, or who is at least familiar with them, greatly improving effectiveness,” Kron added.

Image: OneMoreLead