Marketing and data firm Exactis leaks 340M records

June 28, 2018

EXECUTIVE SUMMARY:

Exactis, a marketing and data aggregation firm, is at the center of a massive data leak that is being teed up as potentially worse than the Equifax data breach. At issue is the fact that the company left nearly two terabytes of personal data, or 340 million records, unprotected on a publicly accessible server. An interesting turn of events during a week in which California has fast-tracked data privacy legislation

While there does not appear to be any evidence at this time that the data was stolen, Wired says it was “available to any hacker who simply knew where to look.”

It is believed that the cache of data does not include credit card information or social security numbers. However, it provides rich detail that goes above and beyond personal contact information, including, as Wired reported, a broad range of data sets. “The categories range from interests and habits to the number, age, and gender of the person’s children.” In addition, information relating to religion, smoking habits, and pets was also available.

The researcher, Vinny Troia, discovered the exposed database while searching for Elasticsearch databases–which are known for allowing queries over the internet with a command line. “So he simply used Shodan to search for all Elasticsearch databases visible on publicly accessible servers with American IP addresses. That returned about 7,000 results. As Troia combed through them, he quickly found the Exactis database, unprotected by any firewall,” writes Wired.

“I’m not the first person to think of scraping ElasticSearch servers,” Troia told Wired. “I’d be surprised if someone else didn’t already have this.”

The sheer size of the database, on top of the depth of detail, make this discovery especially alarming. According to Wired, it’s difficult to know for sure how many individuals are affected. But reportedly, of the 340 million records found, 230 million are consumer records and 110 million are business contacts. To put that in context, the Equifax data breach affected “only” 145.5 million people. However, there’s no evidence at this point that Exactis’ exposed data has in fact fallen into the wrong hands.

Get the full story at Wired.