Hundreds of thousands of people who signed up for the US Green Card Lottery have had their personally identifiable information (PII) exposed on the Internet due to shoddy data protection practices by a third party.
This is evident from a report by researchers from Cyber newswho found the data and notified the company running the database, when it was subsequently locked.
According to the report, a private company known as US GREEN CARD OFFICE LIMITED (USGCO) kept data on the applicants, as well as their close relatives, in plain text, in an unlocked database, available to anyone who knew where to look. Web crawlers, scrapers or even visitors to the GreencardOffice website could have easily found it.
Alarming and dangerous
The database contained sensitive data from 202,000 applicants to the Diversity Immigrant Visa program, including email addresses, passwords in outdated MD5 hashes, full names, genders, places and dates of birth, telephone numbers, marital status, education, and number of children. In addition, in the database there was information about 147,000 “secondary users” – spouses and children. This data includes names, genders, marital status, date of birth, place of birth and education level.
The data appears to date from 2018.
“This leak is alarming and goes beyond inconvenience. It affects more than 350,000 people, some of whom may be vulnerable because of their immigration status. Bad actors could exploit leaked contacts and crack the stored passwords using an outdated hashing algorithm from 1991. Social engineering attacks are also likely,” the report said.
Although unprotected databases like this have in most cases remained under the radar and out of sight of cybercriminals, this time there is a good chance that someone has already found the database and taken its contents. Cybernews researchers found an inverted shell on the website hosting the database, which “indicates a compromise.”
“A PHP script called “navigation-s1O0f7.php” was found to be a reverse web shell used by malicious actors to extract information and transfer files from the server. This file was hidden and disguised as a Divi theme for WordPress – the website itself was not running on WordPress,” the researchers said.
Since the shell file upload date is August 1, 2023, it is very likely that the data has been collected. We'll know for sure if and when it appears for sale on the dark web. In the meantime, applicants should be wary of email messages claiming to be from the Green Card Lottery.
Ny Breaking has contacted USGCO for comment.