Massive data leak could affect nearly all American adults, security researcher says
A new data leak could affect hundreds of millions of Americans, perhaps more than the nearly 150 million affected by the Equifax breach.
Exactis, a Florida-based marketing and data-aggregation firm, leaked detailed information on individual adults and businesses, a security researcher says. While the exact number of individuals affected isn’t known, the leak involved about 340 million records on a publicly available server.
Wired was the first to report that the exposed information included phone numbers, home addresses, email addresses and personal characteristics for every name, such as interests and habits, plus the number, age and gender of the person’s children. Other types of information found: religion, whether a person smokes, and type of pet.
No evidence has surfaced that anyone with malicious intent actually obtained the Exactis data. That makes it different from the Equifax hack, which was a cyberattack on the company’s data.
On the website of Exactis — which was inaccessible as of Thursday morning — it claims to have data on 218 million individuals, including 110 million U.S. households, and 3.5 billion “consumer, business, and digital records.”
Vinny Troia, the security researcher who discovered the leak and reported it to Exactis — which he said has since protected the data — told this publication Thursday that he looked for about 40 or 50 names and everybody he searched for came up. “I searched celebrities, I searched people I know,” he said.
“It seems like this is a database with pretty much every U.S. citizen in it,” Troia, who’s also founder of New York-based security company Night Lion Security, told Wired, which also asked Troia to look up names in the database and confirmed the authenticity of some of the information, although some of it was outdated. “I don’t know where the data is coming from, but it’s one of the most comprehensive collections I’ve ever seen.”
Troia told Wired he was curious about the security of ElasticSearch, which the magazine described as “a popular type of database that’s designed to be easily queried over the internet using just the command line.” When he did a search on the database, he found the Exactis database, which was unprotected. He said he also told the Federal Bureau of Investigation about his findings.
If the Exactis numbers are accurate, this leak would make it one of the biggest data security breaches in a while, topping last year’s Equifax breach and the number of Facebook users affected by the Cambridge Analytica privacy scandal, which according to Facebook was up to 87 million.
(CLICK HERE, if you are unable to view this photo gallery on your mobile device.)
Richard F. Smith, former chairman and CEO of Equifax, testifies during a hearing before the Digital Commerce and Consumer Protection Subcommittee of the House Commerce Committee on Capitol Hill, Tuesday, Oct. 3, 2017, in Washington. (AP Photo/Carolyn Kaster)
This July 21, 2012, file photo shows signage at the corporate headquarters of Equifax Inc. in Atlanta. On Wednesday, March 28, 2018, Equifax announced that Mark Begor will become its CEO as the credit reporting company continues to try to recover from fallout surrounding a massive data breach. (AP Photo/Mike Stewart, File)
The gallery will resume inseconds
In this Tuesday, Sept. 12, 2017, file photo, the new iPhone X is displayed in the showroom after the new product announcement at the Steve Jobs Theater on the new Apple campus in Cupertino, Calif. Apple fans who froze their credit after the Equifax data breach may end up with another hassle on their hands if they try to get one of the new iPhones that can cost more than $1,000. People who did so and want to make any big purchase may find the same. (AP Photo/Marcio Jose Sanchez, File)
Richard Smith, former Chief Executive Officer of Equifax, Inc., arrives to testify before the Senate Commerce Committee on Capitol Hill in Washington, Wednesday, Nov. 8, 2017, during a hearing on “Protecting Consumers in the Era of Major Data Breaches” after the 2013 data breach at Yahoo! that affected 3 billion user accounts and another earlier this year at Equifax that hit around 145 million. (AP Photo/Susan Walsh)
Paulino do Rego Barros, Jr., left, interim Chief Executive Officer of Equifax, Inc., sitting with Richard Smith, center, former Chief Executive Officer of Equifax, Inc., and former Yahoo! Chief Executive Officer Marissa Mayer, right, speaks as he testifies before the Senate Commerce Committee on Capitol Hill in Washington, Wednesday, Nov. 8, 2017, during a hearing on “Protecting Consumers in the Era of Major Data Breaches” after the 2013 data breach at Yahoo! that affected 3 billion user accounts. (AP Photo/Susan Walsh)
In this Sept. 24, 2010, file photo the National Cybersecurity & Communications Integration Center (NCCIC) prepares for the Cyber Storm III exercise at its operations center in Arlington, Va. It will take several more years for the government to install high-tech systems capable of detecting and blocking computer intrusions, giving hackers more time to figure out how to breach networks and steal sensitive data. The government’s computer security weaknesses were laid bare with the WikiLeaks release. (AP Photo/J. Scott Applewhite, File)
Paulino do Rego Barros, Jr., interim Chief Executive Officer of Equifax, Inc., testifies before the Senate Commerce Committee on Capitol Hill in Washington, Wednesday, Nov. 8, 2017, during a hearing on “Protecting Consumers in the Era of Major Data Breaches” after the 2013 data breach at Yahoo! that affected 3 billion user accounts and another earlier this year at Equifax that hit around 145 million. (AP Photo/Susan Walsh)
This Nov. 18, 2009, file photo, shows credit and bank cards. Apple fans who froze their credit after the Equifax data breach may end up with another hassle on their hands if they try to get one of the new iPhones that can cost more than $1,000. People who did so and want to make any big purchase may find the same. (AP Photo/Martin Meissner, File)
In this June 30, 2011 photo, Aaron Titus, chief privacy officer and vice president of business development at Identity Finder, an Internet company that develops software to find and protect sensitive data, works at his office in New York. Electronic records can lower costs, cut bureaucracy and ultimately save lives. But at a time of mounting computer hacking threats, the risks of data breaches are of major concern. (AP Photo/Bebeto Matthews)
The information leaked by Exactis did not include Social Security numbers like the Equifax breach did. But it did include some general financial information, Troia said Thursday.
“When I looked myself up, I found the name of my mortgage lender, the value class of my home and whether or not I had certain kind of credit card,” Troia said.
Marc Rotenberg, executive director of the nonprofit Electronic Privacy Information Center, told Wired that the information leaked from Exactis could be used to impersonate others.
Exactis did not return a request for comment. The company’s clients include companies in the media, financial services and e-commerce industries, which it helps with targeted marketing campaigns, according to Crunchbase.