Social platform for US and UK military may have exposed over a million records

News
By
published

US and UK military data left exposed, experts warn

Detailed view of the US Army uniform worn by soldiers in a military base. Flag of America on the uniform.
(Image credit: Shutterstock)
  • An exposed database of UK and US military personnel has been found
  • The database contained over 1 million records and sensitive PII
  • The database has since been restricted, but it is not known how long it was exposed

A top cybersecurity researcher has uncovered an unprotected online database containing sensitive PII and data for members of the US and UK armed forces.

Jeremiah Fowler's writeup, shared with VPNMentor, outlines how the database belonged to Forces Penpals, a dating and social networking service for members of the armed forces, and contained 1,187,296 records.

Much of the data apparently included full names, addresses, social security numbers of US personnel, National Insurance Numbers and Service Numbers of UK personnel, along with rank, branch of service, dates, and locations of military service members.

Armed forces data left exposed

The database was discovered by Fowler without encryption or password protection, meaning that the database could have been accessed by anyone with an internet connection.

Fowler notified Forces Penpals about the exposure, and the database was protected the following day, however it is not known how long the database was exposed for, with Fowler noting that, “Only an internal forensic audit could identify additional access or potentially suspicious activity.”

Forces Penpals, which claims to have over 290,000 members, both civilian and military, replied to the exposure notice, and provided an explanation, “Thank you for contacting us. It is much appreciated. Looks like there was a coding error where the documents were going to the wrong bucket and directory listing was turned on for debugging and never turned off. The photos are public anyway so that's not an issue, but the documents certainly should not be public.”

The level of detail contained within some of the documents would provide a malicious user with enough information to launch an identity theft or social engineering campaign against exposed users.

Additionally, Fowler says, some of the exposed data contained within the database, such as ranks, levels of security clearance, and locations, could have national security implications.

Earlier this year, Chinese state-sponsored threat actors reportedly breached a third-party contractor for the UK Ministry of Defense and accessed the data of armed forces personnel, with a similar attack attempting to steal records of ex-RAF pilots also attributed to Chinese state-sponsored groups.

You might also like

Benedict Collins
Benedict Collins
Staff Writer (Security)

Benedict has been writing about security issues for over 7 years, first focusing on geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division),  then continuing his studies at a postgraduate level, achieving a distinction in MA Security, Intelligence and Diplomacy. Upon joining TechRadar Pro as a Staff Writer, Benedict transitioned his focus towards cybersecurity, exploring state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.