Social platform for US and UK military may have exposed over a million records

News
By published

US and UK military data left exposed, experts warn

Detailed view of the US Army uniform worn by soldiers in a military base. Flag of America on the uniform.
(Image credit: Shutterstock)
  • An exposed database of UK and US military personnel has been found
  • The database contained over 1 million records and sensitive PII
  • The database has since been restricted, but it is not known how long it was exposed

A top cybersecurity researcher has uncovered an unprotected online database containing sensitive PII and data for members of the US and UK armed forces.

Jeremiah Fowler's writeup, shared with VPNMentor, outlines how the database belonged to Forces Penpals, a dating and social networking service for members of the armed forces, and contained 1,187,296 records.

Much of the data apparently included full names, addresses, social security numbers of US personnel, National Insurance Numbers and Service Numbers of UK personnel, along with rank, branch of service, dates, and locations of military service members.

Latest Videos From

Armed forces data left exposed

The database was discovered by Fowler without encryption or password protection, meaning that the database could have been accessed by anyone with an internet connection.

Fowler notified Forces Penpals about the exposure, and the database was protected the following day, however it is not known how long the database was exposed for, with Fowler noting that, “Only an internal forensic audit could identify additional access or potentially suspicious activity.”

Forces Penpals, which claims to have over 290,000 members, both civilian and military, replied to the exposure notice, and provided an explanation, “Thank you for contacting us. It is much appreciated. Looks like there was a coding error where the documents were going to the wrong bucket and directory listing was turned on for debugging and never turned off. The photos are public anyway so that's not an issue, but the documents certainly should not be public.”

The level of detail contained within some of the documents would provide a malicious user with enough information to launch an identity theft or social engineering campaign against exposed users.

Additionally, Fowler says, some of the exposed data contained within the database, such as ranks, levels of security clearance, and locations, could have national security implications.

Earlier this year, Chinese state-sponsored threat actors reportedly breached a third-party contractor for the UK Ministry of Defense and accessed the data of armed forces personnel, with a similar attack attempting to steal records of ex-RAF pilots also attributed to Chinese state-sponsored groups.

You might also like

Benedict Collins
Benedict Collins
Senior Writer, Security

Benedict is a Senior Security Writer at TechRadar Pro, where he has specialized in covering the intersection of geopolitics, cyber-warfare, and business security.

Benedict provides detailed analysis on state-sponsored threat actors, APT groups, and the protection of critical national infrastructure, with his reporting bridging the gap between technical threat intelligence and B2B security strategy.

Benedict holds an MA (Distinction) in Security, Intelligence, and Diplomacy from the University of Buckingham Centre for Security and Intelligence Studies (BUCSIS), with his specialization providing him with a robust academic framework for deconstructing complex international conflicts and intelligence operations, and the ability to translate intricate security data into actionable insights.