The voter information for approximately 35 million US citizens is being peddled on a popular hacking forum, two threat intelligence firms have discovered.
"To our knowledge this represents the first reference on the criminal underground of actors selling or distributing lists of 2018 voter registration data," said researchers from Anomali Labs and Intel471, the two companies who spotted the forum ad.
The two companies said they've reviewed a sample of the database records and determined the data to be valid with a "high degree of confidence."
Researchers say the data contains details such as full name, phone numbers, physical addresses, voting history, and other voting-related information. It is worth noting that some states consider this data public and offer it for download for free, but not all states have this policy.
The supposed data comes from 19 US states. The list and pricing, as advertised by the hacker himself, is as follows below:
- Montana - 1000$
- Louisiana - 5000$ (3 Million Voters)
- Iowa - 1100$
- Utah - 1100$
- Oregon - 500$
- South Carolina - 2500$
- Wisconsin - 12500$ (6 Million Voters)
- Kansas - 200$
- Georgia - 250$
- New Mexico - 4000$
- Minnesota - 150$
- Wyoming - 500$
- Kentucky - 2000$
- Idaho - 1000$
- Tennessee - 2500$
- South Dakota - 2500$
- Mississippi - 1100$
- West Virginia - 500$
- Texas - 1300$ (14 Million Voters)
"We estimate that the entire contents of the breach could exceed 35 million records," said Anomali Labs researchers.
Users commenting on the forum suggested this might be the data that was leaked in the Robocent incident in June, but the person who's selling the voter data claimed that "data is refreshed each Monday of every week," suggesting that he either still has access to the compromised servers or a way to receive these updates through other means.
"Certain states require the seller to personally travel to locations in-state to receive the updated voter information. This suggests the breach is not necessarily a technical compromise but rather an extensive operation involving cooperation within the election organizations," the Anomali Labs team pointed out.
The advertisement selling the 2018-updated voter records is one of the hacking forum's most popular topics. Anomali Labs says that within hours of the ad going online on October 5, there was a crowdfunding campaign up and running.
Multiple forum users pooled funds together to buy one or more databases part of this large offering and share them with the rest of the forum's registered users.
"At the time of this report, the first of 19 available voter databases, Kansas, has been acquired and published," Anomali Labs said. "A second crowdfunding project, voted by forum members to select the next state, is close to 20.7% of its funding goal. Oregon currently leads the voting for the second state to be published."
Anomali Labs
In an interview with ZDNet, Anomali Labs lead researchers Roberto Sanchez told us authorities have been made aware of the forum thread.
"Our operators engaged with the threat actor 'Downloading,' the original vendor of the voter database thread, to assess their credibility," Sanchez told ZDNet.
"We believe this to be an alias for the forum administrator named 'Omnipotent' based on shared email address between Downloading and Omnipotent."
Furthermore, Omnipotent has a history of sharing voter databases on his forum. Before the new thread advertising voter records from 19 states, he also shared voter records on his forum from five other US states:
- Washington 2018 Voter Database
- Pennsylvania 2018 Voter Database
- North Carolina 2018 Voter Database
- Florida 2018 Voter Database
- Connecticut 2018 Voter Database
- Ohio 2018 Voter Database
