Exposed Database Leaks Sensitive Details of 450+ U.S. Holders of Top-Secret Clearances, New Research Finds
New research reviewed by WIRED has revealed that sensitive personal information belonging to more than 450 individuals holding top-secret U.S. government security clearances was left publicly unprotected and exposed online. These people’s details were stored in a larger database of more than 7,000 job applicants who applied for open roles with Democratic Party offices in the U.S. House of Representatives over the past two years.
While scanning for unsecured public databases in late September, an ethical security researcher accidentally stumbled on the exposed data cache, which was hosted on a House Democrat-run platform called DomeWatch. The official service hosts a range of public congressional content, including live video streams of House floor proceedings, event calendars for congressional activities, and real-time updates on House vote outcomes. It also operates an internal job board and candidate résumé bank for open House Democratic roles.
After the researcher alerted the House Office of the Chief Administrator to the flaw on September 30, the database was secured within just a few hours. The only reply the researcher received was a brief message that read: “Thanks for flagging.” It remains unclear how long the data was left exposed to the public, or whether any unauthorized third parties accessed the information while it was unprotected.
The independent researcher, who requested anonymity due to the sensitive nature of their discovery, describes the exposed database as an internal “index” of job candidates. While full résumés were not included in the exposed cache, the system stored all standard information collected during the hiring process. The researcher confirmed entries included candidates’ short professional biographies, fields noting prior military service, active security clearances, and language skills, alongside core personal details such as full names, phone numbers, and email addresses. Every candidate was also assigned a unique internal identification number in the system.
“Many people listed in this data have 20 years of experience working on Capitol Hill,” the researcher told WIRED, noting that the dataset includes far more than just junior staff and entry-level interns. That scope is what makes the discovery so alarming, they explained: if the data fell into the wrong hands — such as those of a hostile foreign state or malicious hacking group — it could be used to target and compromise government or military personnel with access to classified information. “From the perspective of a foreign adversary, that is a gold mine of exactly who you want to target,” the researcher said.
WIRED reached out to the Office of the Chief Administrator and House Democratic leadership for comment on the incident. Multiple staff members were unavailable to respond, as they have been furloughed amid the ongoing U.S. government shutdown.
“Today, our office was informed that an outside vendor potentially exposed information stored in an internal site,” Joy Lee, spokesperson for House Democratic Whip Katherine Clark (whose office oversees DomeWatch), told WIRED in an October 22 statement. “We immediately alerted the Office of the Chief Administration Officer, and a full investigation has been launched to identify and rectify any security vulnerabilities.” Lee added that the outside vendor in question is “an independent consultant who helps with the backend” of the DomeWatch platform.
Unsecured, publicly accessible databases are widespread across the internet, and the researcher noted they likely would not have paused to investigate the DomeWatch data if they had not spotted keywords referencing top-secret security clearances during their scan. The incident underscores a key risk: even relatively small databases can hold information of extremely high value to nation-state actors engaged in espionage. For example, one entry in the dataset belonged to an individual with professional experience in intelligence and U.S.-China relations.
“Exposed databases are a widespread, non-partisan cybersecurity problem. Left unchecked, they enable targeted espionage, fraud, and identity abuse,” says Alexander Leslie, Senior Advisor for Government Affairs at threat intelligence firm Recorded Future, who was not involved in the original research. “If accurate, this dataset would be extremely sensitive. Military histories and clearance status give adversaries precise reconnaissance and pretexting opportunities, and foreign espionage actors could further use this data for spear-phishing, impersonation, and targeted social-engineering to gain access or compromise accounts.”
Per the researcher, the dataset also included information about candidates’ political party affiliations. Out of roughly 7,000 total entries, around 4,200 candidates had prior experience working in Congress. In total, 6,300 applicants were marked as Democratic Party affiliates, 17 were listed as Republican, and more than 250 were marked as independent or affiliated with other parties. The researcher also found links to additional files and documents hosted on separate cloud storage systems included in the exposed index.
Leslie also points out that known past breaches of U.S. government employment data — most notably the 2015 Office of Personnel Management hack — create what he calls “long-term U.S. national security and personnel risks” that persist for years after the initial incident.
“This research was not targeted toward any political party or affiliation,” the researcher who found the unsecured database said. “It was just finding data, realizing that it could be vulnerable, and thinking of all the ways that not just criminals could use it, but foreign adversaries. It shouldn’t be exposed.”