Social platform for U.S. and UK military personnel may have leaked over a million records.
Experts warn about the vulnerability of military data from the United States and the United Kingdom, which have been exposed.
A prominent cybersecurity researcher has revealed the existence of an unprotected online database containing sensitive information about members of the armed forces of the United States and the United Kingdom. The analysis conducted by Jeremiah Fowler, shared with a security analysis platform, details that this database belonged to Forces Penpals, a dating and social networking service for military personnel, and contained a total of 1,187,296 records.
This data set included personally identifiable information (PII) such as full names, addresses, Social Security numbers for U.S. personnel, as well as national insurance numbers and service numbers for British personnel. Additionally, it contained details about ranks, branches of service, and dates and locations of military service for the members.
The database was discovered by Fowler without any encryption or password protection, meaning that anyone with internet access could have viewed it. Once notified about the vulnerability, Forces Penpals took steps to secure the database the following day, although it is unclear how long it had been exposed. Fowler noted that "only a thorough internal forensic audit could identify any additional accesses or suspicious activities."
Forces Penpals, which claims to have over 290,000 members, both civilian and military, responded to the exposure notification explaining that there was a coding error that caused the documents to be directed to the wrong folder and that the directory listing had been enabled for debugging and was not turned off. Although they mentioned that the photos were public, they acknowledged that the documents should not have been publicly accessible.
The level of detail present in some of the exposed documents could allow a malicious user to conduct identity theft campaigns or social engineering against the affected users. Furthermore, Fowler warned that some of the exposed data, such as ranks, security clearances, and locations, could have implications for national security.
Earlier this year, state-sponsored threat actors from China reportedly accessed military personnel data by breaching an external contractor for the UK Ministry of Defence, suggesting that these types of data breaches continue to pose ongoing concerns for the information security related to military personnel.
