Lawrence Abrams reports:
An unsecured database has exposed the personal information of 8 million people from the U.S. who participated in online surveys, sweepstakes, and requests for free product samples.
[…]
Sanyam Jain, an independent security researcher and member of the GDI Foundation, discovered an unsecured Elasticsearch database that exposed the personal information of 8 million people who submitted entries to these types of sites.
As is often the case, identifying and then notifying the database owner to get unsecured data secured was not a walk in the park. Jain had reportedly found references to “userenroll.com” in the records. That domain belongs to an online marketing firm called PathEvolution.
Abrams reports that Jain reached out to Amazon for assistance notifying them when he was unable to do so. For his part, Abrams reports:
Ultimately, I was able to track down the owner of the database by finding that PathEvolution was owned by a parent company named Ifficient, who describes themselves as a “performance based marketing” company.
Read more on BleepingComputer.