Rockerbox Data Leak Exposes 245,949 Records: SSNs, Driver’s Licenses, Military IDs Leaked from Unsecured Cloud
Ddos 
A screenshot of identification documents that were stored in the database | Image: vpnMentor
Cybersecurity researcher Jeremiah Fowler, in collaboration with vpnMentor, discovered an unencrypted and non-password-protected database containing 245,949 records, many of which included highly sensitive personal and financial information.
According to Fowler’s disclosure: “The publicly exposed database was not password-protected or encrypted. It contained 245,949 records with a total size of 286.9 GB.”
In his investigation, Fowler found a range of sensitive files:
“I saw files that detailed PII such as names, physical addresses, email addresses, DOB, and SSN in plain text… There were also driver’s licenses, identification cards, SSN cards, work opportunity tax credit documents that included employment and salary information.”
Even more concerning were the DD214 forms, which are official U.S. military discharge documents—a prime target for identity theft. The leak also contained password-protected PDF files, but with filenames embedding personal information:
“The file names of these documents contained PII such as the employer’s name, applicant’s first and last name, a numeric code, and document number.”
Fowler noted the theoretical risk that passwords might be inferred from these filenames:
“It is theoretically possible that the numeric part of the file name could have contained the password to unlock the individual file.”
Evidence strongly suggests that the data belonged to Rockerbox, a Dallas-based tax credit consulting firm that works across multiple sectors like healthcare, logistics, and manufacturing. Fowler stated:
“Information contained in the internal files indicated the records appeared to belong to a Texas-based company called Rockerbox.”
However, despite sending a responsible disclosure notice, Fowler received no response:
“The database was restricted from public access several days later and no longer accessible. I did not receive any reply to my responsible disclosure notice.”
It remains unclear whether the database was managed directly by Rockerbox or a third-party vendor.
Fowler emphasizes that the breach stemmed from inconsistent access controls and poor data hygiene:
“Inconsistent security measures are a potentially serious risk to any organization that uses cloud storage for sensitive data.”
He warns that even seemingly trivial mistakes—such as embedding personal identifiers in URLs or filenames—can open doors for bad actors:
“Never rely on security through obscurity. Web-accessible files that contain identifiable information in the file path or name could potentially expose sensitive data.”
Though Fowler clarifies that he does not claim any misuse of the exposed data, he outlines the hypothetical risks:
“Exposed PII like SSNs, dates of birth, full names, and driver’s license numbers… may be targeted by criminals seeking to use this information for financial crimes or identity theft.”
He highlights that in 2024 alone, the FTC received over 1.1 million identity theft claims, with related fraud losses topping $12.7 billion, according to Experian.
Related Posts:
- The Truth Behind the National Public Data (NPD) Breach
- AnyDesk Breach 2024: Dark Web Sale of 18,317 Credentials
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
