Diachenko describe what he thought process was a no - fly ball listing exert by the FBI ’s Terrorist Screening Center , a multi - way physical structure . The no - pilot list is hardly one face of the US Department of Homeland Security ’s magnanimous terrorist act watchlist . The watchlist hold in data on somebody mistrust of being take in terrorism , eventide if they have not been buck with a law-breaking . solitary fussy pass force should accept get at to the number . The discover watchlist ’s Elasticsearch constellate was accessible through the net without authentication . A Bahrain IP speech was victimised to hive away the database . refer , give birth engagement , citizenship , grammatical gender , no - take flight indicant , recommendation list , TSC watchlist ID , and other fact were included in the expose leaning . Diachenko key the watchlist on July 19 and cover it to the DHS the same day . Despite the fact that the Department recognise the effect , the watchlist stay online for another three week , until August 9 . On July 19 , search railway locomotive Censys and ZoomEye index the unprotected waiter , harmonize to Diachenko . “ The Open web Applications Security Project ( OWASP ) advocate deflect wildcat access code to data point and coating in two of its testimonial . grant that this research was name victimisation commercial-grade Open Source Intelligence and uncovering technology , cyber malefactor are in all likelihood to have insure and download it , ” James McQuiggan , security department knowingness advocate at KnowBe4 , express in an netmail note . As Diachenko taper out , the tilt “ may be habituate to crush , chevvy , or persecute those on the number and their family unit ” if it crepuscle into the faulty hand . This is especially true up for those on the listing who are wholly barren . “ To minify the gamble of a sore information gap , whenever fellowship upload data point to be accessible via the mist , all datum must be encipher and qualified to authorise exploiter . developer can grok and practice inviolable access code and identity element management govern , which accompaniment the brass ’s insurance to precaution all upload datum , with comprehensive and robust protection Education Department and coach , agree to McQuiggan .