The security researcher Vinny Troia was analyzing the level of security for Elasticsearch installs exposed online when discovered millions of records belonging to Americans that were left unsecured online.
The expert used Shodan to find U.S. Elasticsearch databases exposed on the internet, the query allowed him to discover around 7,000 instances. One of them immediately appeared very interesting, an archive owned by US data broker firm Exactis that was containing personal data on both consumers and businesses.
“Earlier this month, security researcher Vinny Troia discovered that Exactis, a data broker based in Palm Coast, Florida, had exposed a database that contained close to 340 million individual records on a publicly accessible server. The haul comprises close to 2 terabytes of data that appears to include personal information on hundreds of millions of American adults, as well as millions of businesses.” reported Wired.
“While the precise number of individuals included in the data isn’t clear—and the leak doesn’t seem to contain credit card information or Social Security numbers—it does go into minute detail for each individual listed, including phone numbers, home addresses, email addresses, and other highly personal characteristics for every name.”
The archive was containing roughly 340 million records (230 million on consumers and 110 million on business contacts), this is probably the biggest potential breach ever seen.
According to Exactis website, the firm gathered consumer data on 218 million individuals and 110 million households.
The archive contains 88 million records that include email addresses and postal addresses, while 112 million records include residential phone numbers.
Business data includes 21 million records of companies, 40 million postal addresses, 21 million records with email addresses and postal address, and 52 million business phone numbers.
The good news is that the archive did not include credit card information or Social Security numbers.
At the time it is not clear how much the archive was exposed, but experts believe it was completely exposed online. The archive includes interests, habits and the age and gender of children, and more than 400 variables ranging from religion, pets, and whether a person smokes.
The knowledge of so detailed profiles could allow attackers to launch effective spear phishing campaigns.
The security expert promptly reported his findings to the FBI and Exactis, the company immediately secured the database.
Customers proposed a class action in the Florida federal court last week claiming that Exactis did not implement best practice guidelines to protect the data.
(Security Affairs – Exactis, data breach)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.