The data was found in July and was traced back to a former staffer at the Democratic Senatorial Campaign Committee (DSCC), an organization that seeks grassroots donations and contributions to help elect Democratic candidates to the US Senate.
The breach was secured as soon as UpGuard researchers reached out to the DSCC, however, the cybersecurity firm published their findings. The spreadsheet was titled “EmailExcludeClinton.csv” and was found in a similarly named unprotected Amazon S3 bucket without a password. The file was uploaded in 2010, a year after former Democratic senator and presidential candidate Hillary Clinton, whom the data is believed to be named after, became secretary of state.
UpGuard said the data may be people “who had opted out or should otherwise be excluded” from the committee’s marketing.
Stewart Boss, a spokesperson for the DSCC, denied the data came from Clinton’s campaign and claimed the data had been created using the committee’s own information.
“A spreadsheet from nearly a decade ago that was created for fundraising purposes was removed in compliance with the stringent protocols we now have in place,” he told TechCrunch in an email.
The spokesperson, however, declined to say how the email addresses were collected, where the information came from, what the email addresses were used for, how long the bucket was exposed, or if the committee knew if anyone else accessed or obtained the data. Among other addresses, researchers found more than 7,700 US government email addresses and 3,400 US military email addresses in the bucket.
UpGuard had previously reported on two “significantly larger exposures,” including a data analytics provider exposing the Republican National Committee’s “enriched voter database,” which included personal information for every registered American voter. Email addresses were not exposed in that case, however, names, dates of birth, home addresses, phone numbers, and voter registration details were revealed.
“The list of six million email addresses, with some link to Clinton and the DSCC, is a much smaller exposure than that with data for the entire US electorate,” the researchers wrote. “But it still a large number of potential targets for a malicious actor, and enough context to make reasonable guesses about how to craft such an attack.”