WASHINGTON — A cybersecurity company says it has found a hacker selling personally identifying information of more than 200 million Americans, including the voter registration data of 186 million.
The revelation underscored how vulnerable Americans are to email targeting by criminals and foreign adversaries, even as U.S. officials announced that Iran and Russia had obtained voter registration data and email addresses with an eye toward interfering in the 2020 election.
Much of the data identified by Trustwave, a global cybersecurity company, is publicly available, and almost all of it is the kind that is regularly bought and sold by legitimate businesses. But the fact that so many names, email addresses, phone numbers and voter registration records were found for sale in bulk on the so-called dark web underscores how easily criminals and foreign adversaries can deploy it as the FBI said Iran has done recently, by sending emails designed to intimidate voters.
"An enormous amount of data about U.S. citizens is available to cyber criminals" and foreign adversaries, said Ziv Mador, vice president of security research at Trustwave, which found the material.
"In the wrong hands, this voter and consumer data can easily be used for geotargeted disinformation campaigns over social media, email phishing and text and phone scams," he added, "before, during and after the election, especially if results are contested."
The data is a mix of material stolen in various hacks of companies in recent years and publicly available data retrieved from government websites, he said. In most states, voter registration information is publicly available, for example.
Trustwave monitors dark web forums for threat information, and it came across a hacker calling himself Greenmoon2019 who was offering the data for sale. Trustwave used fictitious identities to induce the hacker to provide more information, including a Bitcoin wallet that Greenmoon2019 used to collect payment.
Bitcoin wallets — virtual storage facilities for the most commonly used cryptocurrency — publicly display transactions but not the identities of those making them. Trustwave was able to trace payments to a larger wallet, created in May, that has taken in $100 million in what the company believes is illicit proceeds, Mador said. Not all of that was from data sales, he said.
The wide availability of personal information is not new, but the idea that such a huge cache is for sale as the election approaches underscores how easy it would be for malicious actors to cause trouble. Trustwave said the hacker was offering 186 million voter records and 245 million records of other personal data.
National Intelligence Director John Ratcliffe said Wednesday night that Iran had obtained voter registration information and used it to send threatening emails to Democrats while posing as the Proud Boys, a white supremacist group. Ratcliffe said the Russian government had also obtained voter registration information.
Voter registration data is public in many states, but email addresses are not often part of the public data. The hacker identified by Trustwave used other stolen data to pair email addresses with voter rolls and offer it for sale as a package, Mador said.
The databases on sale by Greenmoon2019 would allow malicious actors to target the email addresses of only registered Democrats, for example, or only registered Republicans.
Trustwave said it turned over what it had gathered to the FBI, which told NBC News in a statement:
"We are committed to finding and investigating fraud during this election. While we cannot comment on information we may or may not have received from the public, we want to assure the American people the FBI is closely coordinated with our federal, state, and local partners to safeguard our voting processes."