Last year the credit reporting firm Equifax revealed how unknown hackers stole a personal data of over 143 million Americans – In another incident, sensitive data of 123 million American Households were leaked online.
Now, Exactis, a Florida based marketing firm is being blamed for exposing personal information of over 340 million people online – The data was left exposed on a server without any protection allowing anyone from public to access.
The data was discovered by the founder of Night Lion Security Mr. Vinny Troia who contacted the FBI and Exactis. The good news is that the company has secured the data, however, it is unclear what caused the data leak and how the company remain unaware of the situation.
Although it is also unclear if the data was accessed by malicious entities, Troia tweeted that he is working with Exactis directly to determine if/who accessed the data.
I have spoken with Exactis and will be working with them directly to determine if/who accessed the data. @NightLionSec is on it. #ExactisBreach
— Vinny Troia, PhD (@vinnytroia) June 29, 2018
The incident was first reported by Wired who confirmed that the exposed data includes phone numbers, email addresses, home addresses and personal characteristics for every name including habits, interests, number, gender, and age of person’s children. Moreover, details about if the person smokes, what type of pets they own and which religion they belong, was also part of the leaked records.
“It seems like this is a database with pretty much every U.S. citizen in it,” Troia told Wired. “I don’t know where the data is coming from, but it’s one of the most comprehensive collections I’ve ever seen.”
According to Troia, the data was discovered when he searched Shodan search engine for all ElasticSearch (an open-source search engine) databases publicly accessible servers with American IP addresses. Previously, Kromtech’s security researchers identified two point-of-sale (POS) malware strains namely AlinaPOS and JackPOS hosted on more than 4,000 ElasticSearch servers.
ElasticSearch is the same platform that was targeted in the MongoDB ransomware campaign. In total there are over 15,000 servers on ElasticSearch that do not possess any authentication and password protection while the POS malware strains were found in more than 4,000 servers.
340 million is a massive data and if accurate, this has to be one of the largest data leaks. Moreover, why Exactis is home to such sensitive personal data is another question.
Anurag Kahol, Bitglass CTO commented on the leak and said that “Consumers should be concerned about the type and volume of information that is collected, spliced together and housed in databases such as the one that was leaked by Exactis.”
“Exposing roughly 340 million records – or a database of nearly 2 TB – to the public internet is a significant offense by the organization and one that we’ve seen dozens of times in the past year, yet it is unlikely that we’ll see anything change unless organizations take the initiative in protecting corporate data,” Kahol added.
“Regulations like GDPR have already compelled many to reassess their security postures, to deploy technologies that mitigate the risk of data loss, and to limit the transfer of sensitive consumer data to high-risk third parties.”
Image credit: Depositphotos