The security researcher Vinny Troia was analyzing the level of security for Elasticsearch installs exposed online when discovered millions of records belonging to Americans that were left unsecured online.
The expert used Shodan to find U.S. Elasticsearch databases exposed on the internet, the query allowed him to discover around 7,000 instances. One of them immediately appeared very interesting, an archive owned by US data broker firm Exactis that was containing personal data on both consumers and businesses.
“Earlier this month, security researcher Vinny Troia discovered that Exactis, a data broker based in Palm Coast, Florida, had exposed a database that contained close to 340 million individual records on a publicly accessible server. The haul comprises close to 2 terabytes of data that appears to include personal information on hundreds of millions of American adults, as well as millions of businesses.” reported Wired.
“While the precise number of individuals included in the data isn’t clear—and the leak doesn’t seem to contain credit card information or Social Security numbers—it does go into minute detail for each individual listed, including phone numbers, home addresses, email addresses, and other highly personal characteristics for every name.”
The archive was containing roughly 340 million records (230 million on consumers and 110 million on business contacts), this is probably the biggest potential breach ever seen.
According to Exactis website, the firm gathered consumer data on 218 million individuals and 110 million households.
The archive contains 88 million records that include email addresses and postal addresses, while 112 million records include residential phone numbers.
Business data includes 21 million records of companies, 40 million postal addresses, 21 million records with email addresses and postal address, and 52 million business phone numbers.
The good news is that the archive did not include credit card information or Social Security numbers.
At the time it is not clear how much the archive was exposed, but experts believe it was completely exposed online. The archive includes interests, habits and the age and gender of children, and more than 400 variables ranging from religion, pets, and whether a person smokes.
The knowledge of so detailed profiles could allow attackers to launch effective spear phishing campaigns.
The security expert promptly reported his findings to the FBI and Exactis, the company immediately secured the database.
Customers proposed a class action in the Florida federal court last week claiming that Exactis did not implement best practice guidelines to protect the data.
(Security Affairs – Exactis, data breach)