[ad_1]
A little known Florida-based marketing company called Exactis may be responsible for a significant amount of personal data exposed. According to a report by CableThe company left 340 million individual files on a publicly accessible server that anyone could have had on hand.
The leak was discovered earlier this month by security researcher Vinny Troia, founder of New York-based security firm Night Lion Security. He reported his discovery to the FBI and Exactis earlier this week, and although the company has since protected the data, it is unclear exactly how long it has been exposed.
So how serious is the leak? It's pretty bad! The data stored on the server represents approximately two terabytes of personal information.
Troia told Wired that the Exactis database appears to contain data from "almost all US citizens," with about 230 million records on US adults and 110 million records on US commercial contacts. This corresponds to the statement of Exactis on its website that it has data on 218 million people. If the leak is really as big as estimated, it would be one of the largest personal information exposures in recent memory.
These records contain various data points, including phone numbers, personal addresses, and e-mail addresses related to a person's name. It also includes more than 400 features of a person, ranging from the person who smokes or not, to his religion, to his own animals, to his children, to his age, to his bad, and so on. and plus size clothing, by wire.
Notably, the financial information and social security numbers have not been discovered in the database. (Do not worry, all this information has probably already been exposed by Equifax last year.) This does not mean that the information has no value, however. If these data were accessed by a malicious actor, they could easily be badociated with previous violations to create an even more complete profile of an individual or use it to perform social engineering attacks.
There are many troubling things about the leak of Exactis, the least of which is not the extent of the information exposed. First, there is the question of where this small marketing company based in Palm Coast, Florida has got their hands on the personal interests and contact details of hundreds of millions of Americans.
Troia said that he did not know where exactly the data came from, but described it as "one of the most comprehensive collections" that he had ever seen. Marc Rotenberg, executive director of the nonprofit Electronic Privacy Information Center, has hypothesized to Wired that information could come from a variety of sources, including magazine subscriptions, data credit card transaction and credit reports.
Then there is the fact that no one knows if this mbadive database was accessible by anyone before Troia. Only Exactis would have an idea of the duration of protection of the server and could see who has accessed it. The company has not yet publicly responded to the leak and has not responded to the request for comment.
Chances are, someone – a hacker or just a random person – probably stumbled on the server before Troia. The security researcher has found the database while using the Shodan search tool, which allows anyone to scan publicly-connected and publicly-accessible devices. Anyone with access to the same tools could have just as easily discovered the same server found by Troia.
These types of leaks, where a server containing sensitive information is not secure, occur with surprising regularity. A conservative data company accidentally leaked information on more than 200 million Americans last year. 12,000 social media influencers had their information exposed in a similar mishap, as did US military veterans and government contractors. All this shows that companies that collect data do not have the mission to protect them.
[Wired]Source link