The personal details of thousands of mostly US-based PC users have been discovered stashed on a server located in France, offering yet another indication of the use of the Internet to collect personal data on a vast scale.
The web page, which was live as of Monday morning, does not contain financial details of the users.
But other web pages associated with the same domain indicate the site could be connected to a group of hackers based in the Middle East known for their involvement in other Internet financial crime as well as defacing websites, said Chris Boyd, research manager for FaceTime Communications, a security company.
The ISP that hosts the page has been contacted, Boyd said.
The data appears to have been collected in April 2006, according to timestamps in the file, and includes the full names of people, their address and their IP address. Also included are the names of the web sites from which the details were apparently collected.
The names of those web sites, most of which are now not active, appear to offer a freebie, with names such as www.likefreestuff.com and www.freebgift.com.
The offer of a free gift is often made in exchange for data, Boyd said.
There's nothing illegal about collecting data that users voluntarily submit. Likewise, the storing of personal details for marketing purposes is also not illegal. But leaving those details open on a server could violate European or US data protection laws.
It is not clear how that data on the French server is being used, but various hackers forums are aware it has been exposed, Boyd said. The email addresses could immediately be used to send spam, while the addresses of the users could potentially be used for identity fraud.
Research into the domain name hosting the data has also turned up clues that it may be connected to well-known hacking groups, he said. The server the domain is hosted on also hosts nearly 24,000 other domain names, another indication of possibly either phishing or other scam activity, Boyd said.