The FBI’s Terrorist Screening Center (TSC) may have exposed the records of nearly 2 million individuals and left them accessible online for three weeks. Security researcher Bob Diachenko says he discovered a terrorist watchlist on July 19th that included information like the name, date of birth and passport number of those listed in the database. The cluster also included “no-fly” indicators.

According to Diachenko, the watchlist wasn’t password protected. Moreover, it was quickly indexed by search engines like Censys and ZoomEye before the Department of Homeland Security took the server offline on August 9th. It’s unclear who may have accessed the data.

“I immediately reported it to Department of Homeland Security officials, who acknowledged the incident and thanked me for my work,” Diachenko said in a LinkedIn post spotted by Bleeping Computer. “The DHS did not provide any further official comment, though.” We’ve reached out to the Department of Homeland Security.

Among the watchlists the TSC maintains is America’s no-fly list. Federal agencies like Transportation Security Administration (TSA) use the database to identify known or suspected terrorists attempting to enter the country. Suffice to say, the information included in the exposed watchlist was highly sensitive.

A recent bipartisan Senate report recently warned of glaring cybersecurity holes at several federal agencies, including the Department of Homeland Security. It said many of the bodies it audited had failed to implement even basic cybersecurity practices like multi-factor authentication and warned national security information was open to theft as a result.