The names and precise geolocations of over 111,000 British customers of firearms seller Guntrader were recently leaked on the web through a CSV file compatible with Google Earth, enabling firearms thieves and other malicious actors to target the victims.
Earlier this week, The Register reported that the CSV file was leaked on the Internet via an animal rights activist’s blog. The file was “explicitly advertised as being importable into Google Earth”. What this means is that this enables malicious actors to import the Google Drive-hosted CSV file into Google Earth and view precise geolocations of firearms owners.
The fact that the personal information of Guntrader customers was breached first came to light in July. As per reports, a database belonging to the firm, which advertises itself as the UK’s premier destination for buying and selling used shotguns, rifles, and shooting equipment, was accessed by unauthorised individuals on July 19.
The stolen database contained over 100,000 customer data records, including firearms owners’ names, phone numbers, postal addresses, IP addresses, bcrypt-hashed passwords, geolocation data, and the name of the police force that issued RFD certificates.
Soon after the breach took place and was disclosed by Guntrader, BASC, the British Association for Shooting and Conservation, warned over 150,000 users to be vigilant about their home security as their personal information was stolen by hackers.
“Our advice to members would be to check home security and be extra vigilant. Make sure all firearms are appropriately locked away and make sure buildings are kept secure. Follow normal good crime security advice and report anything suspicious to the police,” said Martin Parker, the head of firearms at BASC.
According to The Register’s latest report, the database, which can now be imported to Google Earth, contains the personal details of approximately 111,295 people who bought or sold firearms on the Guntrader website. The stolen data was collected by Guntrader between 2016 and July 17 this year so it can be assumed that a significant percentage of breached postal addresses, IP addresses, and phone numbers could still be valid.