Green Card Lottery applicants see private data leaked online

An abstract image of a cloud raining data.
(Image credit: Pixabay)

Hundreds of thousands of people applying for the US Green Card Lottery have had their personally identifiable data (PII) exposed on the internet, due to sloppy data protection practices by a third party. 

This is according to a report from  researchers at Cybernews, who found the data and notified the company operating the database, when it was subsequently locked. 

As per the report, a private company known as US GREEN CARD OFFICE LIMITED (USGCO) kept the data on the applicants, as well as their closest of kin, in plaintext, in an unlocked database, available to anyone who knew where to look. Web crawlers, scrapers, or even usgreencardoffice website visitors could have easily found it.

Alarming and dangerous

The database held sensitive data on 202,000 Diversity Immigrant Visa program applicants, including email addresses, passwords in deprecated MD5 hashes, full names, genders, places and dates of birth, phone numbers, marital status, education, and number of children. Furthermore, in the database there was information on 147,000 “secondary users” - spouses and children. This data included names, genders, marital status, date of birth, place of birth, and education level. 

The data seems to date from 2018.

“This leak is alarming and extends beyond inconvenience. It affects more than 350 thousand people, some of whom may be vulnerable due to their immigration status. Bad actors could exploit leaked contacts and crack the passwords stored using an outdated hashing algorithm from 1991. Social engineering attacks are also likely,” it was said in the report. 

While in most cases, unprotected databases such as this one remained under the radar and out of sight for cybercriminals, this time around chances are that someone already found the database and took its contents. Cybernews’ researchers found a reverse shell on the website hosting the database, that “indicates compromise”. 

“A PHP script, called “navigation-s1O0f7.php” appeared to be a reverse web shell used by malicious actors to extract information and transfer files from the server. This file was hidden and masqueraded as a Divi theme for WordPress – the website itself was not running on WordPress”, the researchers said. 

As the shell file’s upload date is August 1, 2023, it’s highly likely the data was taken. We will know for sure if, or when, it pops up for sale on the dark web. In the meantime, applicants should be wary of any email messages claiming to come from the Green Card Lottery.

TechRadar Pro has contacted USGCO for comment.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.