A new data leak could affect almost every single American, perhaps more than Equifax’s massive 2017 data breach of nearly 150 million individuals.
Earlier this month, the renowned security researcher Vinny Troia announced that he discovered an unsecured database containing around 340 million individual records. According to Troia, the database included profiles of a few hundred million Americans belonging to Exactis, a Florida-based marketing and data-aggregation firm.
Troia told Wired that the catch contains about two terabytes of data that includes personal information of almost every American adult, along with millions of businesses.
While the database does not include credit-card numbers or Social Security information, it does include phone numbers, home addresses, email addresses and personal characteristics for every name, such as interests and personal habits, plus the number, age, and gender of the person’s children. Other types of information found: religion, whether a person smokes, kind of pet. Even though the millions of individual profiles did not include financial information, it was more than enough data to help scammers steal identities.
“It seems like this is a database with pretty much every US citizen in it,” said Troia, who is the founder of his own New York-based cyber security company, Night Lion Security.
Troia searched the database for about 40 or 50 names and “everybody he searched for came up. I searched for celebrities; I searched for people I know.”
WIRED then asked him to search for ten people, which he only found six of them. “I don’t know where the data is coming from, but it’s one of the most comprehensive collections I’ve ever seen,” he stated.
Troia explained to Wired that he was able to access the database on the internet, and he warned that plenty of other people could have as well. Once the unsecured database was discovered, he contacted Exactis and the FBI about the vulnerability, and since, the database has disappeared from the public domain.
If Troia’s numbers are remotely accurate, this leak could be one of the most significant data security breaches in several years, surpassing last year’s Equifax breach and the Facebook debacle with Cambridge Analytica.
On the ‘About Us’ section on Exactis’ website, the company said it managed 3.5 billion consumer, business, and digital records including “demographic, geographic, firmographic, lifestyle, interests, CPG, automotive, and behavioral data.”
“When I looked myself up, I found the name of my mortgage lender, the value class of my home and whether or not I had certain kind of credit card,” Troia added.
Marc Rotenberg, executive director of the nonprofit Electronic Privacy Information Center, told Wired that corporations are routinely data mining Americans, which the leak could be used to impersonate others.
“If you have a profile on someone, that person should be able to see their profile and limit its use,” Rotenberg said.
“It’s one thing to subscribe to a magazine. It’s another for a single company to have such a detailed profile of your entire life.”
Exactis refused to speak with Wired or any other media outlets, and it is still unclear whether hackers made off with the terabytes of raw data of almost every single American.