Rockerbox Data Leak Exposes 245,949 Records: SSNs, Driver’s Licenses, Military IDs Leaked from Unsecured Cloud
Do Son 
A screenshot of identification documents that were stored in the database | Image: vpnMentor
Cybersecurity researcher Jeremiah Fowler, in collaboration with vpnMentor, discovered an unencrypted and non-password-protected database containing 245,949 records, many of which included highly sensitive personal and financial information.
According to Fowler’s disclosure: βThe publicly exposed database was not password-protected or encrypted. It contained 245,949 records with a total size of 286.9 GB.β
In his investigation, Fowler found a range of sensitive files:
βI saw files that detailed PII such as names, physical addresses, email addresses, DOB, and SSN in plain text… There were also driverβs licenses, identification cards, SSN cards, work opportunity tax credit documents that included employment and salary information.β
Even more concerning were the DD214 forms, which are official U.S. military discharge documentsβa prime target for identity theft. The leak also contained password-protected PDF files, but with filenames embedding personal information:
βThe file names of these documents contained PII such as the employerβs name, applicantβs first and last name, a numeric code, and document number.β
Fowler noted the theoretical risk that passwords might be inferred from these filenames:
βIt is theoretically possible that the numeric part of the file name could have contained the password to unlock the individual file.β
Evidence strongly suggests that the data belonged to Rockerbox, a Dallas-based tax credit consulting firm that works across multiple sectors like healthcare, logistics, and manufacturing. Fowler stated:
βInformation contained in the internal files indicated the records appeared to belong to a Texas-based company called Rockerbox.β
However, despite sending a responsible disclosure notice, Fowler received no response:
βThe database was restricted from public access several days later and no longer accessible. I did not receive any reply to my responsible disclosure notice.β
It remains unclear whether the database was managed directly by Rockerbox or a third-party vendor.
Fowler emphasizes that the breach stemmed from inconsistent access controls and poor data hygiene:
βInconsistent security measures are a potentially serious risk to any organization that uses cloud storage for sensitive data.β
He warns that even seemingly trivial mistakesβsuch as embedding personal identifiers in URLs or filenamesβcan open doors for bad actors:
βNever rely on security through obscurity. Web-accessible files that contain identifiable information in the file path or name could potentially expose sensitive data.β
Though Fowler clarifies that he does not claim any misuse of the exposed data, he outlines the hypothetical risks:
βExposed PII like SSNs, dates of birth, full names, and driverβs license numbers… may be targeted by criminals seeking to use this information for financial crimes or identity theft.β
He highlights that in 2024 alone, the FTC received over 1.1 million identity theft claims, with related fraud losses topping $12.7 billion, according to Experian.
Related Posts:
- The Truth Behind the National Public Data (NPD) Breach
- AnyDesk Breach 2024: Dark Web Sale of 18,317 Credentials
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
