On Monday, Yahoo reported the FBI had uncovered evidence that foreign hackers had breached two US state election databases earlier this month. The article, based on a document the FBI distributed to concerned parties, was heavily framed around other recent hacks which have generally been attributed to Russia, including the Democratic National Committee email dump.
The thing is, voter records are not some extra-special commodity that only elite, nation-sponsored hackers can get hold of. Instead, ordinary cybercriminals trade this sort of data, and some states make it pretty easy to obtain voter data through legal means anyway.
In December of last year, CSO Online reported that a database of some 191 million US voter records had been exposed online. They weren't grabbed through hacking, per se: the dump was available to anyone who knew where to look, or was happy to just cycle through open databases sitting on the internet (which, incidentally, common cybercriminals are).
Tech Insider previously spoke with a hacker advertising registration records for voters from all 50 US states. Although the publication did not see the full set of data, they did manage to confirm a small number of samples provided to them.
And back in January, we reported that alleged voting records of millions of American citizens were uploaded to dark web site linked to the well-known hacking forum Hell. Those files appeared to include voters' full names, dates of birth, the date they registered to vote, their physical address, local school districts, and other information too.
The dumps had been uploaded to a databin, where anyone with the password could easily just log in and help themselves to all of those details. (The password was also openly advertised on the Hell forum, so it wasn't an exclusive cache either.)
SQLi on state election systems is probably to get the same data voter-data-brokers sell, but in bulk.
Nicholas WeaverAugust 29, 2016
It's likely that plenty of those records were obtained through semi-public sources, too: many states make this sort of information available to political campaigns, or advocacy groups. After the 191 million voting records were found online, Jim Gilliam, the CEO of NationBuilder, a company that provides records to various groups, said, "From what we've seen, the voter information included is already publicly available from each state government so no new or private information was released in this database." (The 191 million records didn't come directly from NationBuilder, Gilliam wrote, although some of the information may have come from data the company has made available.)
The FBI did not make clear which states this latest breach concerns; Yahoo points to Arizona and Illinois. Voter data for both of those states is available from NationBuilder, as long as one agrees to only use it for political purposes. Maybe the hackers just didn't fancy paying? But, without a bit more information, it's not known what exactly the hackers took, and whether it differs from the data provided by brokers such as NationBuilder.
(And as a side note, Yahoo says that a mere 200,000 records from Illinois were obtained. Small fry when compared to what is readily available across the internet, or what has been exposed before. Although it isn't comprehensive, there is even a website literally called VoterRecords.com, where you can look up over 50 million voter records for free. You don't get much further away from super-secret-hacker-goods than that.)
Sure, it may turn out that Russian intelligence hacked these latest voter databases, for reasons unknown. But to not acknowledge that voter records are relatively easy to obtain, and generally overstate their value, seems misguided. I'm willing to bet that, if this breach had happened, say, a year ago, before the widespread coverage of the DNC dump, it would not be receiving as much attention as it is now.