No Password, No Problem: How Missouri Leaked 600,000 SSNs

Personal information so sensitive that the U.S. government has passed law after law to protect it, and it was sitting exposed on a public website for years, completely unnoticed.

The “Cyber Attack” That Wasn’t

Before I get to the super-hacker who did this, and divulge their techniques lets get into how the story evolved.

In October of 2021, a Journalist for the St. Louis Post-Dispatch, Josh Renaud, contacted the Missouri government to inform them of a website that was leaking social-security numbers of government employees online. Following journalistic and ethical guidelines he attempted to alert the government, so they could move to protect the information, ahead of posting an article in the newspaper.

After a few emails back and forth regarding the leak, the government’s response: We’re not going to talk about this anymore.

Suddenly a press release was put out from the Missouri state government: “the hacker took the records of at least three educators, decoded the HTML source code, and viewed the social security number of those specific educators.”

Governor Mike Parsons followed up with a press conference later.

“The state is committed to bringing to justice anyone who hacked our systems or anyone who aided them to do so.” He Continued, “A hacker is someone who gains unauthorized access to information or content. This individual did not have permission to do what they did. They had no authorization to convert or decode, so this was clearly a hack.”

He followed up stating that he had enlisted the Missouri Highway Patrol to investigate this matter, and that it was estimated it would cost the taxpayers 50 million dollars to recover from this hack.

The Hacker… Was the Reporter

None other than Josh Renaud, the same journalist who tried to warn the state’s Department of Elementary and Secondary Education (DESE), about the data leakage.

His technique. Right clicked on the web page with his mouse and chose “View Source” from the menu.

To be fair there was a second step involved, the data appeared in the websites source code as what is known as a Base 64 encoded (not encrypted) string of characters. To show how easy it is to simply decode the string you can:

Copy the following string:
U29jaWFsIFNlY3VyaXR5IE51bWJlcjogMTIzLTQ1LTY3ODk=
Go to a site such as: https://www.base64decode.org/
Paste the string into the site and click Decode.

I’ll leave the results as an exercise for the reader. 😉

That’s it. No brute force, no backdoor, no credentials. Just a browser, a right-click, and a free online decoder.

Where Policy and Technology Both Failed

This wasn’t a rogue web app. It was a web-based teacher certification lookup tool, created around 2011 and maintained by Missouri’s Office of Administration Information Technology Services Division (OA-ITSD).

In 2009, Missouri consolidated all agency IT departments under this single office to improve efficiency. But that also meant web applications like this were often maintained by staff unfamiliar with the data’s sensitivity or the tools’ evolving best practices.

The result?

No regular security audits were followed up on.
No human QA reviewed how the page source behaved.
And no policy enforced routine inspections of live web pages for PII exposure.

It’s possible this vulnerability existed for nearly a decade before the reporter found it.

Protect Your Site and Your Customers

This wasn’t just a technology problem, it was a human one. The code might have been working, but nobody was looking at what it was actually doing. That’s the kind of thing we’re built to catch at Fresh Eyes Tech.