More than 24 million financial and banking documents, representing tens of thousands of loans and mortgages from some of the biggest banks in the U.S., has been leaked online after a server security lapse. The server, running an Elasticsearch database, had more than a decade’s worth of data, containing loan and mortgage agreements, repayment schedules and other sensitive financial and tax documents linked to millions of citizens and personals financial life.

These private documents weren’t protected with a password, allowing anyone to access and read all the documents on file. It’s believed that the database was only exposed for two weeks — but long enough for independent security researcher Bob Diachenko to find the data.

"At first glance, it wasn’t immediately known who owned the data. After we inquired with several banks whose customer’s information was found on the server, the database was shut down on January 15."

Sandy Campbell, general counsel at Ascension’s parent company, Rocktop Partners, which owns more than 46,000 loans worth $4.4 billion, confirmed the security incident, but said its systems were unaffected.

“On January 15, this vendor learned of a server configuration error that may have led to exposure of some mortgage-related documents,” he said in a statement. “The vendor immediately shut down the server in question, and we are working with third-party forensics experts to investigate the situation. We are also in regular contact with law enforcement investigators and technology partners as this investigation proceeds.”

An unspecified portion of the loans were shared with the contractor for analysis, the statement added, but couldn’t immediately confirm how many loan documents were exposed. In a phone call, Campbell confirmed that the company will inform all affected customers, and report the incident to state regulators under data breach notification laws.

The documents pertain to loans and mortgages and other correspondence from several of the major financial and lending institutions dating as far back as 2008, if not longer, including CitiFinancial, a now-defunct lending finance arm of Citigroup, files from HSBC Life Insurance, Wells Fargo, CapitalOne and some U.S. federal departments, including the Department of Housing and Urban Development. Some of the companies have long been off business, after selling their mortgage divisions and assets to other companies.

Although not all files contained highly sensitive data points, there were still names, addresses, birth dates, Social Security numbers and bank and checking account numbers, as well as details of loan agreements that include sensitive financial information, such as why the person is requesting the loan. Some of the documents also note if a person has filed for bankruptcy and tax documents, including annual W-2 tax forms, which are targets for scammers to claim false refunds.

The database stored documents in a random order, and were not easily follow able or presented in an easy to read or formatted way, making it difficult to follow from one document to another, said Diachenko.

“These documents contained highly sensitive data, such as Social Security numbers, names, phones, addresses, credit history and other details which are usually part of a mortgage or credit report,” Diachenko told TechCrunch. “This information would be a gold mine for cyber criminals who would have everything they need to steal identities, file false tax returns, get loans or credit cards.”

The banks added that it’s working to identify potentially affected customers. Many other companies are affected, including smaller regional banks and larger multinationals.