Unclaimed Trove: Nearly 250,000 Sensitive Records Exposed in Rockerbox Database Leak

A massive trove of sensitive personal data—nearly a quarter million records—was left exposed in a misconfigured cloud database believed to be linked to a Dallas-based tax credit consultancy, Rockerbox. The discovery, made by cybersecurity researcher Jeremiah Fowler and reported to vpnMentor, reveals a sobering glimpse into how simple security lapses can create wide-open backdoors into citizens’ most sensitive documents.

The 286.9 GB database was unencrypted, unprotected by a password, and accessible to anyone with a web browser. Within its 245,949 records: Social Security numbers in plain text, full names, dates of birth, addresses, military discharge papers (DD214s), driver’s licenses, tax credit application files, and even identification cards.

What’s worse, the documents weren’t just exposed—they were organized in ways that made them easily scannable and potentially exploitable. File names often included employers’ names, applicants’ names, and form numbers. Some of the password-protected PDFs even contained what appeared to be the unlocking credentials embedded in their file names—a practice security professionals strongly discourage.

While Rockerbox never responded to Fowler’s responsible disclosure notice, the database was secured several days after the report was made. Still, it remains unknown how long the data was exposed or whether it was accessed by malicious actors during that time.

“Breaches like this, with so much personal and tax-related information, can be a real issue for the victims,” said Erich Kron, Security Awareness Advocate at KnowBe4. “The information is more than enough to steal an identity or to give attackers data they can use to make scams seem very convincing.”

The exposed data includes applications for tax incentives under programs like the Work Opportunity Tax Credit (WOTC) and Employee Retention Tax Credit (ERTC)—programs that require detailed documentation about employment, salary history, and eligibility, all of which was sitting in the open.

Fowler stresses that he did not bypass any password protections or attempt to access the encrypted files. But the design flaws—the lack of access controls, and the naming conventions that embedded personal identifiers—could have allowed even a low-skilled attacker to weaponize exposed URLs or guess passwords.

Kron emphasized that beyond just setting passwords, security must be cultural. “Organizations that collect and process information, such as this, need to ensure that security is a top priority within the organization,” he said. “Employees should be educated about social engineering attacks—the way most breaches start—and have technical controls in place to ensure data is encrypted and kept safe. Data Leakage Prevention (DLP) tools are critical in an organization like this, as are policies and procedures with a focus on data protection.”

The discovery is especially concerning given the rise in identity theft and fraud: The Federal Trade Commission logged over 1.1 million identity theft complaints in 2024 alone, with losses topping $12.7 billion. While no wrongdoing has been proven on Rockerbox’s part, and there’s no evidence of data misuse from this breach, the hypothetical risks are more than theoretical.

The company in question—Screen Technologies LLC, DBA Rockerbox.tech—has no affiliation with Rockerbox.com, the marketing analytics firm acquired by DoubleVerify in 2025.

Incidents like this serve as a stark reminder that in today’s hyper-connected cloud environments, even one exposed bucket can ripple into a breach of national scale. And while the debate rages on about AI exploits and zero-day vulnerabilities, the biggest threat may still come from unsecured data left out in the open—waiting to be found.