A California auto loan company left the names , addresses , credit scores and partial Social Security numbers of up to 1 million people exposed Attack.Databreach on an insecure online database . The company behind the database is Alliance Direct Lending Corporation , according to Kromtech Security Research Center , which discovered the data earlier this week . It said the data was found on an unprotected Amazon server and that the data could have been exposed Attack.Databreach for up to two years . According to Alliance Direct Lending ’ s website , the company works with individuals and auto dealership partners to help car owners refinance existing auto loans . Data stored in the cloud was in clear text , according Diachenko . He said data also included several dozen recorded voice conversations with customers that disclosed full Social Security numbers of loan applicants . Sample data included the names of 114 car dealerships . According to Kromtech , it estimated between 550,000 to 1.1 million loan records from those dealers were exposed Attack.Databreach online . Dealers were located across the United States from California , Colorado , Florida and Massachusetts . Kromtech said it was unsure if additional third parties may have accessed Attack.Databreach the data . Privacy experts said the data in the hands of the wrong person would be a nightmare for victims . A criminal that knows the data comes from people who have refinanced their car loan and may have less than stellar credit , coupled with partial Social Security numbers , would be a dream come true . “ Things could go wrong on a variety of levels . The data could be used to phish additional data Attack.Phishing via email or phone scams . That ’ s not even mentioning the reputational damage to those in the database with bad credit scores , ” said Adam Levin , chairman and founder of CyberScout . The data found by Kromtech was on an Amazon ’ s AWS S3 server . AWS S3 is marketed as an easy-to-use web service that allows businesses to store and retrieve data at a moment ’ s notice . Data is stored in what Amazon calls buckets . “ The Kromtech Security Research Center has seen an increase in vulnerable AWS S3 buckets recently due to misconfigurations or public settings , ” Diachenko said . “ We have identified hundreds of misconfigured instances and we have been focused on helping to secure them as soon as we identify who the data belongs to. ” He said companies should consider Alliance Direct Lending ’ s example a sobering reminder that companies and individuals need to make sure their data is secure . For Diachenko , this is the latest in a string of insecure database he has helped uncover . In January , he was part of a research team that found 400,000 audio files associated with a Florida company ’ s telemarketing efforts were stored insecurely online . In February , Kromtech researchers found tens of thousands of sensitive documents insecurely stored online belonging to a print and marketing firm . Thousands of resumes and job applications from U.S. military veterans , law enforcement , and others were leaked Attack.Databreach by a recruiting vendor in an unsecured AWS S3 bucket .