A little-known marketing firm may have exposed the personal information of every adult in the US.
On Wednesday, a security researcher named Vinny Troia said he stumbled on a massive database containing the detailed records of 340 million people —all of which was mistakenly made available online.
The records were held in a database from Exactis, a firm that specializes in helping companies reach potential customers via email, phone number or postal address. For some reason, Exactis failed to place the database behind a firewall, leaving it open for anyone to access.
How long the database was exposed isn’t known, but it contained detailed information on 230 million consumers, and another 110 million business contacts, Troia told PCMag.
Each record can list the subject’s phone number, address, date of birth, estimated income, number of children, education level, credit rating and much more. According to Troia, the records are divided into dozens of different fields that can identify whether a person reads books, owns a dog or cat, or invests in real estate.
“I looked up a bunch of my friends and the data was all pretty accurate,” Troia said, adding: “This is more information that other people can use to create scams or do fraudulent activities.”
News of the leak was first reported Wired. Fortunately, the affected records contain no social security numbers or credit card information. And according to Troia, Exactis pulled the database off the open internet when he contacted the company about the leak.
Still, the incident raises an unsettling question: Did any hackers notice the 340 million records too?
It’s certainly possible, given that the Exactis database was indexed online, according to Troia, who leads his own security firm Night Lion Security. A month ago, he discovered the records while investigating the security of databases built with Elasticsearch. Using a search engine called Shodan, he was able to identify about 7,000 publicly accessibly Elasticsearch databases, one of which he later discovered was owned by Exactis.
“The server was kind of wide open,” Troia said. “If anybody was looking for it, they could’ve found it and grabbed the data.”
So far, Exactis hasn’t publicly commented on the leak. However, the Florida-based company does claim to have records on 218 million individuals, along 52 million records with business phone numbers.
How it obtained so much sensitive information isn’t clear. But Exactis is merely one of several data-mining firms that excel at collecting people’s personal data for marketing purposes. Other providers such as Acxiom can collect the information by tapping into public records, using consumer surveys or buying it from commercial entities that have managed to gather the data with your own consent.
As creepy as this sounds, the data-mining is usually done legally. But clearly, hoarding all that sensitive data can also pose a massive security risk.