Marketing and data aggregation firm Exactis kept a database of around 340 million individual records on a publicly accessible server, Wired reports. Discovered by security researcher Vinny Troia from Night Lion Security, the data dump measured around two terabytes (2TB) and contained the personal information of around 230 million adults in North America along with 110 million businesses. Fortunately, credit card and social security numbers were not discovered within the data.
“It seems like this is a database with pretty much every U.S. citizen in it,” Troia said. “I don’t know where the data is coming from, but it’s one of the most comprehensive collections I’ve ever seen.”
Troia could find just about everyone he knew in the data, and when he was asked to seek out 10 specific people, he quickly emerged with six. The data dump included simple information such as phone numbers, home addresses, and email addresses. But it also dug deep into each listed individual spanning more than 400 variables. For instance, the data listed whether individuals smoke, if they own pets, their preferred religion, favorite hobbies, and loads more.
Troia came across the data dump while researching the security of Elasticsearch databases using the search tool Shodan. Because these databases can be queried over the internet using a command line, he scanned for publicly accessible Elasticsearch-based servers using North American IP addresses. The scan produced 7,000 results, one of which served up the unprotected Exactis data dump.
Once he stumbled across the data dump and examined its contents, he contacted both the FBI and Exactis, the latter of which made the data inaccessible shortly after Troia’s notification. Still, anyone who performed an Elasticsearch scan prior to Troia likely discovered the Exactis data dump as well.
So far there is no evidence of foul play, but the data could already be circulating on the dark web. There is supposedly enough information in the data to produce scam campaigns even though financial and social security data isn’t present.
According to Exactis, the company plays host to 3.5 billion “consumer, business, and digital records.” Among that data is supposedly 110 million households in the U.S., 218 million individuals, 88 million records tying email addresses to postal addresses, and 112 million records with residential phone numbers.
“Data is the fuel that powers Exactis,” the company boasts. “Layer on hundreds of selects including demographic, geographic, lifestyle, interests, and behavioral data to target highly specific audiences with laser-like precision.”
The Exactis data dump surpasses the data breach seen by Equifax in 2017, which saw the data of 145.5 million individuals stolen by hackers. The difference here is that hackers didn’t infiltrate Exactis’ network, but rather the company simply left data exposed on a publicly accessed server. The situation is similar to what happened in June 2017 where the details of 198 million American voters were left unsecured on a publicly accessed cloud server.
What makes this data exposure scary is that Exactis may have your data and you don’t even know it. Even more, that data was left exposed with the potential to be scooped up by scammers.
