Security researchers have uncovered a colossal data leak that exposed the personal information of more than 100 million U.S. citizens.
Cybernews first spotted the misconfigured database belonging to background-check firm MC2 Data, which reportedly allowed unauthorized access to 2.2 TB of sensitive data.
What was leaked?
The database contained 106 million records, including:
- Full names
- Email addresses
- IP addresses
- Dates of birth
- Partial payment data
- Home addresses
- Phone numbers
- Employment and legal histories
- Property records
- Information on family members, relatives, and neighbors
Darren James, Senior Product Manager at Specops Software, noted that encrypted passwords were also exposed. While encryption offers some protection, these passwords are still vulnerable to brute-force attacks. Once cracked—especially when paired with exposed email addresses—they could grant attackers access to additional systems due to the widespread reuse of passwords.
In addition, more than 2.3 million MC2 Data customers were affected. Their records may contain employer- and law-enforcement-related data, making them prime targets for cybercriminals.
Security implications and industry impact
MC2 Data operates popular background-check sites such as PrivateRecords.net and PeopleSearchUSA, aggregating information from public sources for employers, landlords, and others. The breach now places over 100 million individuals at heightened risk of identity theft, fraud, and other cyberattacks.
Researchers warn that cybercriminals can readily exploit such misconfigurations to harvest detailed personal profiles.
Javvad Malik, Security Awareness Advocate at KnowBe4, commented:
“This is yet another major security lapse that fits the all-too-familiar narrative of ‘human error.’ While it’s easy to blame an individual for failing to mark a database private instead of public, this incident highlights a deeper issue: security still isn’t getting the attention it deserves.”
Infosecurity reached out to MC2 Data through its legal counsel, Strauss Borrelli PLLC, seeking clarification on the breach and remediation steps. At the time of publication, no response had been received.
We will update this story as more information becomes available. Sources close to the investigation indicate the database has since been secured.
