Biometric data of US troops, known terrorists, and people who worked with American forces in Afghanistan and in the Middle East was sold via old US military equipment on eBay, the media reported.
The devices were purchased by a group of hackers, who found fingerprints, iris scans, peoples' pictures, and descriptions, all unencrypted and protected by a "well-documented" default password, reports The New York Times.
Some devices were left behind during the hasty withdrawal of NATO troops from Afghanistan.
Germany-based CCC researchers found large amounts of biometric and other personal data when analysing such devices.
"In the wrong hands, this data is life-threatening for people in Afghanistan and Iraq," they wrote in a blog post.
"On used US military equipment, we discovered, among other things, an unprotected biometrics database containing names, fingerprints, iris scans, and photographs of more than 2,600 Afghans and Iraqis," they added.
The various devices shopped online contained names and biometric data of two US military personnel, GPS coordinates of past deployment locations, and a massive biometrics database with names, fingerprints, iris scans and photos of 2,632 people.
The device containing this database had last been used somewhere between Kabul and Kandahar in mid-2012.
"The irresponsible handling of this high-risk technology is unbelievable," said Matthias Marx, who led the CCC research group.
"It is inconceivable to us that the manufacturer and former military users do not care that used devices with sensitive data are being hawked online," Marx said.