A cybersecurity firm revealed this week that the Democratic Senatorial Campaign Committee left more than 6.2 million email addresses exposed in an online public "storage bucket" that may have pertained to Hillary Clinton's Senate campaign.
The data breach research team at the firm Upguard discovered the files last month. They apparently showed that an employee at the DSCC, the organization dedicated to electing Democrats to the Senate, had uploaded a spreadsheet of millions of Americans' email addresses to a “misconfigured” Amazon S3 storage bucket in 2010.
The firm said the bucket, titled “toclinton,” and the spreadsheet file with over 6 million email addresses, titled “EmailExcludeClinton.zip,” likely were associated with one of her New York Senate campaigns. The firm said the filename “seems to indicate that this was a list of people who had opted out or should otherwise be excluded from DSCC marketing emails.”
The file, however, apparently was created after Clinton's time in the Senate.
A spokesperson for the DSCC denied that the spreadsheet data came from Clinton’s Senate campaign and instead said it was a list created by a former DSCC staffer in 2010 and only included existing information.
"A spreadsheet from nearly a decade ago that was created for fundraising purposes was removed in compliance with the stringent protocols we now have in place," DSCC spokesperson Stewart Boss told Fox News in a statement. "Since the 2010 cycle, the DSCC now has a centralized and secure management of assets to ensure accounts are following proper security best practices, and all users and staff go through security awareness training to prevent issues like this."
The file, according to the firm, was last modified on Sept. 17, 2010—nearly a year after Clinton became former President Barack Obama’s secretary of state. The file also predates Clinton's own server scandal, in which she exclusively used a private server for government business during her time as secretary of state.
The firm said they contacted the DSCC on July 26 and by that afternoon, the bucket “had been secured, preventing future malicious use of the data.”
Clinton’s office did not respond to Fox News’ request for comment. TechCrunch first reported on the firm's findings.
Upguard researchers said that they have previously reported on two “significantly larger exposures,” including a data analytics provider exposing the Republican National Committee’s “enriched voter database,” which included personal information for every registered American voter. That exposure did not reveal email addresses of voters, but rather names, dates of birth, home addresses, phone numbers, and voter registration details, as well as data described as “modeled” voter ethnicities and religions.
“The list of six million email addresses, with some link to Clinton and the DSCC, is a much smaller exposure than that with data for the entire U.S. electorate,” the researchers wrote. “But it still a large number of potential targets for a malicious actor, and enough context to make reasonable guesses about how to craft such an attack.”
Upguard researchers warned of further lapses in data security surrounding political campaigns.
“This list contained only email addresses, but other political data sets contain far more information on individuals, down to psychographic information such as their habits, behaviors, and likely beliefs,” the firm’s research team wrote. “The same things that make this data valuable to political campaigns makes it valuable to malicious actors—intel on individuals that can be used to contact and influence them.”
They added: “If political data can be exposed for ten years, the risk created by that data has unknown half-life.”