Marketing Firm Exactis Leaks Personal Info of Almost Entire US
Ron Perillo / 2 years ago
340 Million Individual Records
Exactis is not a company name many Americans are familiar with. However, judging by the size of the latest data leak discovered by security researchers, they certainly know many Americans. Exactis is a marketing data and aggregation firm, based out of Palm Coast, Florida.
Researcher Vinny Troia of Night Lion Security discovered earlier this month that Exactis’ database was exposed on a publicly accessible server. This database contains over 2 Terabytes of data, with close to 340 million individual records. Thankfully, it does not contain any Social Security or credit card information.
However, Exactis specializes in marketing data. So this database contains relevant information like names, phone numbers, home addresses, and email addresses.
Plus, each record even contains entries that go far beyond contact information and public records. This includes more than 400 variables on a vast range of specific characteristics. This includes factors such as as whether a person smokes, whether they are religious, or even if they have dogs or cats, and more.
Where exactly they get their information is unclear, which certainly makes the whole affair even scarier. “I don’t know where the data is coming from, but it’s one of the most comprehensive collections I’ve ever seen,” says Troia.
How Does Something Like This Happen?
It is security researchers like Troia’s job to find possible network vulnerabilities like these. However, in the case of Exactis, it was not exactly difficult to find. Their records were all publicly available and the database was not behind a Firewall.
Troia reached out to both Exactis and the FBI about his discovery last week. So the company has since protected the data, rendering it inaccessible. However, Troia states that it is surprising if someone else didn’t already accessed the data prior to him finding it.
“I’m not the first person to think of scraping ElasticSearch servers,” he says. Referring to the fact that all it took was simply to use Shodan to search for all ElasticSearch databases visible on publicly accessible servers with American IP addresses.
How Can This Criminals Use This Information?
Identity theft is thankfully not possible due to the absence of social security numbers or credit card data in the database. However, due to the minute details and behavioural characteristics in the data leak, scammers can use it for social engineering.
While this may not be as massive as Yahoo leaking 3 billion user account information, it is even bigger than the Equifax breach affecting 145 million Americans. Just like that Equifax breach, many users with compromised information are even aware their information is in the database.