A day before elections, hacked details of millions of Israeli voters exposed online

Hackers have exposed online personal details of 6.5 million Israeli voters, less than 24 hours before the country goes to the polls in the fourth election in the last two years. The most sensitive details, which appear to be the residential addresses, phone numbers, and dates of birth of the registered voters, are apparently from a leak that took place a year ago. One file, however, which includes people’s full names and their assigned voting stations, looks to be updated to reflect the current voting round.

The data was exposed after hackers made threats last week against Elector Software Ltd., the operators of the voter-prompting Elector App, which is used by the ruling Likud party and several others. The threats, some of which were sent directly to the company, included warnings that the attackers would leak data that was allegedly stolen from the app, as well as personal information on the company’s CEO Tzur Yemin, and his family unless the app ceases operating. “This is an extortion attempt and I have filed a complaint to the police,” Tzur told Calcalist.

Last week the hackers threatened to expose Israel’s full voter registry. The threats were accompanied by a direct attack on Elector, which according to the hackers, did not take responsibility for breaches in its systems that were identified a year ago, despite there being no indications that the app was breached in the current election cycle and independent security analysts assuring Calcalist that it was secure.

Alongside their threats, the hackers also added links to download the data they claim was leaked from the app. The files, however, were encrypted, with the hackers threatening to distribute the password unless use of the Elector app was discontinued. “The passwords will be distributed in the coming days if they choose to continue lying,” the hacker wrote. Elector representatives said that the hackers concurrently sent direct messages to the company, with one of them saying, “You don’t have long left until information about your family is exposed too.”

On Monday, the hackers made good on their threat and released the password via websites that don’t require registration and enable anyone to anonymously share online texts or files without requiring them to identify themselves.

The password provided by the hackers revealed files with personal data on the 6.5 million voters that included full names, mobile phone numbers, full addresses, voting station registration, gender, and email address. The formatting of the files resembles that used by voter-prompting apps, with fields named “Support” apparently to indicate support for the party that operates the app, whether the voter requires transportation to reach the polling booth, and a field with general comments like “change status to vigorous supporter.” However, according to indications by Calcalist, the more detailed files are more than a year old. A file that was uploaded today featured only names and voting stations, but appears to be current with information that has bearing on tomorrow’s elections. The last batch of files do not appear to have been sourced from vote-prompting apps since the details are too scant.

The files, along with the password are available online, with those who wish to view them requiring only the web address, meaning that the private details of millions of Israeli voters are essentially available for anyone with basic understanding of the web and familiarity with the type of sites that tend to distribute such information. The files will be available to download for at least the next three weeks, with authorities having no way to prevent people from downloading them or forcing the host sites to remove them.

Last year, Calcalist reported on a string of hacks that led to data from Elector to be leaked. However, there is no indication that there was a similar leak in the current elections and there is no way to tell whether the older data originally came from the leaks exposed last year or from breaches in apps used by other parties.

All this makes the threats directed by the hackers at Elector especially problematic, giving them an air of an extortion attempt. “I deal with a product that provides a service to political parties at election time, with all the implications. I had no idea what the implications might be until I started providing the service to the Likud,” Yemin told Calcalist. “When my colleagues in the software field hear about the threats that my family and I received, they were shocked. Funnily enough, the better the app works, the more frequent the threats become. My wife is afraid to leave our home because of threats on Facebook. It is legitimate to oppose the way the system works and I acknowledge that it is controversial, but it is legal and provides services to customers in the U.S. too. This is an attempt to harm an Israeli startup.”

“The voters’ registry is handed out hundreds of times a year to many and various organizations and there is no way to determine where the data came from,” an Elector representative said. “The Cyber Directorate even conducted an intrusive inspection of our company and stated that it was opposed to having the app taken offline since it is secure.”