Earlier this month, a data researcher happened upon a data breach by data broker Exactis that included a database with about 340 million records that were accessible on the internet for anyone who knew where to look. Of the 340 million leaked records, 230 million contained personal information on individuals. The other 110 million contained information on businesses. If that count can be verified, it will make the Exactis leak bigger than the 2017 Equifax leak, which affected about 145.5 million people.
Financial information like credit cards or bank account numbers isn’t among the leaked data nor are social security numbers. What is included, however, is personal information like phone numbers, email addresses, home addresses and information about individual hobbies or interests. Wired reports that Vinny Troia, founder of Night Lion Security, says that the data seems to cover nearly every American as he has been able to find information on almost every person he searched for. Of the 10 individuals Wired asked him to find as a test, Troia was able to find six. “I don’t know where the data is coming from,” he said, “but it’s one of the most comprehensive collections I’ve ever seen.”
There’s no way to know if anyone with malicious intent has accessed the database, but Troia says it would be easy for a hacker to do. While doing some work for his security company, he used a search tool called Shodan that scans for internet devices. He was looking for ElasticSearch databases that can be seen on public servers with U.S. IP addresses. ElasticSearch is a database that allows internet queries using just a command line. When he examined the roughly 7,000 results of that query, he saw the Exactis database and discovered that it had no firewall protection. The database was simple enough to access, so easy, in fact, that Troia said he’d be surprised if someone else had not already gotten their hands on the data. He contacted Exactis and the FBI about the leak, and the data is no longer accessible.
While the leaked information doesn’t include financial information, it does include plenty of other personal information that could be used by scammers to create profiles and identify good targets. Each record contains up to 400 variables including things like whether or not the individual smokes, do they have an interest in plus-sized clothing, do they prefer cats or dogs, and whether or not they’re interested in scuba diving. Wired check some of the data and found most of it accurate but sometimes outdated.
This sort of leak is fairly common, unfortunately. Chris Vickery, a researcher with the security firm UpGuard, says he has seen this kind of leak on information “from 93 million Mexican citizens’ voter registration records to a list of 2.2 million ‘high-risk’ people suspected of crime or terrorism.”