Data firm LocalBlox exposes information collected from 48million users

LocalBlox left a 1.2TB database file in an unprotected S3 bucket

Datablox gathered and exposed 48 million users' data

Cybersecurity experts released a report[1] on Wednesday stating that a personal and business data search service LocalBlox has scraped[2] the data of 48 million Facebook, Twitter, LinkedIn and other social network users. The mentioned firm was created in 2010 and since then focused on building profiles from publicly exposed information.

The data collected was then left in Amazon S3[3] cloud storage bucket which was not password protected. This allowed anyone access and download this information, which included names, physical addresses, dates of birth, job histories and similar.

The size of the exposed file “lbdumps” reached 1.2TB in size and contained 48 million virtual profiles, which allowed to create a detailed three-dimensional image of every individual.

Chris Vickery, a security specialist from security team UpGuard, later discovered the S3 bucket. He informed chief technology officer Ashfaq Rahman of LocalBlox about the incident in late February 2018. The bucket was secured a few hours later.

LocalBlox is not taking any responsibility for the exposed data

The virtual profile is created linking an IP address to multiple profiles on social networks. The data is then sorted and compiled together. It gave LocalBlox a brighter image of the targeted person’s behavior and background. Thus, information harvested this way may be widely used for political campaigning or advertising purposes.

LocalBlox has been practicing data gathering procedures for a while now, claiming to have 650 million records[4] in the ID database and 180 million records in its mobile phone database.

Ashfaq Rahman was confident that the database was “hacked” by Vickery and that no other person had access to the large database file. Nevertheless, he failed to explain why did he restrict access to the bucket a few hours later after the exposure.

Additionally, Rahman claimed that “most” of the collected data was fake and only used for internal testing purposes. He did not provide the number of “fake” profiles.

The discovery of exposed data raises concerns amongst security experts and regular users

Cambridge Analytica scandal recently hit Facebook.[5] It allowed data analytics company unlawfully gather personal information from 87 million Facebook users. This information was used to potentially influence US elections in 2016.

This resulted in Facebook introducing harsher privacy policies. Additionally, the social network giant is now investigating apps that gather a significant amount of information.

Social media networks and real estate site Zillow, which was also included in data gathering procedure, advised that scraping of information without prior consent is prohibited.

However, no particular laws preventing analytic companies from gathering already public data, especially in the US. Data scraping companies are not a new phenomenon; nevertheless, this type of information harvesting is becoming even more prominent, as well as controversial.

Chris Vickery was concerned that social media platforms do not take enough of responsibility for what is done to the user information exposed on their websites:

I think these companies need to take a little more responsibility over what's being done with this data, and reflect on the role they're playing in this day and age.

About the author
Linas Kiguolis
Linas Kiguolis - Expert in social media

Linas Kiguolis is one of News Editors and also the Social Media Manager of 2spyware project. He is an Applied Computer Science professional whose expertise in cyber security is a valuable addition to the team.

Contact Linas Kiguolis
About the company Esolutions