Photo-illustration (REUTERS/Pawel Kopczynski)
A little-known marketing company may have exposed the personal details of every adult in the united states.
On Wednesday, a security researcher named Vinny Troia said he stumbled upon a huge database containing the detailed records of 340 million people, which was accidentally made available online.
The records were kept in a database of Exactis, a company that specialises in helping businesses to reach potential customers via e-mail, phone number or postal address. For some reason, Exactis failed for the database behind a firewall, leaving it open for everyone.
How long the database was exposed is not known, but it contained detailed information on 230 million consumers and 110 million business contacts, Troia told PCMag.
More From PCmag
PornHub Add Subtitles Category
Galaxy Note 9 Expected in Aug. 9 Samsung Unpacked Event
Microsoft Tweaks Facial-Recognition-Tech to Combat Prejudices
Keep Your Eyes on the Road, Not Infotainment Systems
Each record in the list, the subject phone number, address, date of birth, estimated income, number of children, education level, credit rating and much more. According to Troia, the records are divided into dozens of different fields that you can determine whether a person reads books, is the owner of a cat or a dog, or investing in real estate.
“I looked up with a number of my friends and the data was pretty accurate,” Troia said, adding: “This is the information that other people can use it to create scams or fraudulent activities.”
News of the leak was first reported. Fortunately, the records do not contain social security numbers or credit card information. And according to Troia, Exactis pulled the database from the internet when he contacted the company about the leak.
Still, the incident raises a disturbing question: Has anyone hackers please note that the 340 million records?
It is certainly possible, given the fact that the Exactis database is indexed online, according to Troia, who runs his own security company, Night Lion Security. A month ago, he discovered the records during the investigation into the security of databases built with Elasticsearch. With the help of a search engine called Shodan, he was able to identify approximately 7000 publicly accessible Elasticsearch databases, one of which he later discovered was in the possession of Exactis.
“The server was kind of open,” Troia said. “If someone was looking, they could have found and picked up the data.”
So far, Exactis has not yet publicly responded to the leak. However, the Florida-based company requires for records to 218 million people and 52 million records with business phone numbers.
How it obtained so much sensitive information is not clear. But Exactis is just one of the several data-mining companies that excel in the collection of personal data for marketing purposes. Other providers, such as Acxiom, the collection of the information by tapping into public registries, with the help of surveys or the purchase of commercial organisations that have managed to collect the data with your own consent.
As creepy as this sounds, the data-mining is usually done legally. But it is clear, hoarding all of that sensitive data can also pose a huge security risk.
This article originally appeared on PCMag.com.