Massive leak exposes data on 123 million US households

The door to your personal data got left wide open once again.

Researchers revealed Tuesday that earlier this year they discovered a massive database -- containing information on more than 123 million American households -- that was sitting unsecured on the internet.

The cloud-based data repository from marketing analytics company Alteryx exposed a wide range of personal details about virtually every American household, according to researchers at cybersecurity company UpGuard. The leak put consumers at risk for a range of nefarious activities, from spamming to identity theft, the researchers warned.

Though no names were exposed, the data set included 248 different data fields covering a wide variety of specific personal information, including address, age, gender, education, occupation and marital status. Other fields included mortgage and financial information, phone numbers and the number of children in the household.

"From home addresses and contact information, to mortgage ownership and financial histories, to very specific analysis of purchasing behavior, the exposed data constitutes a remarkably invasive glimpse into the lives of American consumers," UpGuard researchers Chris Vickery and Dan O'Sullivan wrote in their analysis.

A cascade of recent database breaches has left consumers on edge about the security of their personal information. After credit monitoring company Equifax revealed in September that cybercriminals had made off with data on more than 145 million Americans, US lawmakers began efforts to hold such businesses accountable to the everyday people whose data they collect for profit.

The Alteryx database was discovered in October in a misconfigured Amazon Web Services S3 cloud storage "bucket," the researchers said, allowing access to anyone with an easily obtainable account.

The repository contained massive data sets belonging to Alteryx partner Experian, a consumer credit reporting agency that competes with Equifax, and already publicly available data from the US Census Bureau, researchers said. Alteryx apparently purchased the data from Experian's ConsumerView marketing database, a product sold to other companies that contains a combination of publicly available information and more personal data.

Neither Alteryx nor Experian responded to a request for comment. In a statement to Forbes, Alteryx said the database had been secured, and it downplayed the leak's severity.

"Specifically, this file held marketing data, including aggregated and de-identified information based on models and estimations provided by a third-party content provider, and was made available to our customers who purchased and used this data for analytic purposes," Alteryx said. "The information in the file does not pose a risk of identity theft to any consumers."

Experian struck a similar note in response to Forbes' query about the leak.

"This is an Alteryx issue, and does not involve any Experian systems," a spokesperson said. "Alteryx has already confirmed with you that the data in question contained no names of any individuals or any other personal identifying information, and does not pose any risk of identity theft to any consumers. We have been assured by Alteryx that they promptly remedied this issue."

The UpGuard researchers disagreed with that assessment.

"The data exposed in this bucket would be invaluable for unscrupulous marketers, spammers and identity thieves, for whom this data would be largely reliable and, more importantly, varied," the researchers said. "With a large database of potential victims to survey -- with such details as 'mortgage ownership' revealed, a common security verification question -- the price could be far higher than merely bad publicity."

Special Reports: All of CNET's most in-depth features in one easy spot.

It's Complicated: This is dating in the age of apps. Having fun yet? These stories get to the heart of the matter.