2018 Largest Data Breach Involved Exposing of 340 Million-Records

A database of U.S. consumer information has been left unprotected online by the marketing company Exactis. At 340 million records, this is the biggest data breach of 2018.

You may not have heard about Florida-based data broker Exactis, but chances are the firm has heard of you. The firm holds 3.5 billion consumer, company and digital records while its email database contains 500 million consumer emails and 16 million company emails.

One database managed by the firm includes around 340 million records, including 230 million consumer records and 110 million records of companies. That database was recently found to have been left exposed on the Internet. The database could be viewed without any authentication. Anyone who knew where to look would have been able to access the database. At least one individual did.

Security expert Vinny Troia who operates NightLion Security, a New York consultancy firm, was searching online for instances of Elasticsearch databases. Troia wanted to know about the security of the databases as they are designed to be easily queried over the Internet. Troia searched for the databases using the search engine Shodan. Shodan is a search engine that permits people to find specific types of computers that are connected to the Internet.

Troia found more than 7,000 Elasticsearch databases that were visible on publicly accessible servers with U.S. IP addresses and set about finding out which, if any, had data shared on the Internet. He wrote a script that queried those databases and searched for keywords that would ishow they contained sensitive information – fields such as date of birth.

2 Terabytes of Data Accessible

One database stood out due to the amount of data it included – around 2 terabytes of data. The database was not safeguarded by a firewall and could be accessed without authentication. The database was discovered to include huge numbers of detailed records about consumers. Troia said: “It seems like this is a database with pretty much every U.S. citizen in it… it’s one of the most comprehensive collections I’ve ever seen.”

He found the records included up to 150 data fields, with highly detailed information on consumers including names, addresses, phone numbers, email details and descriptions of the person, including information such as the estimated value of their home, hobbies, mortgage supplier, ethnic group, whether the individual owns any stock, their religion, if they have made political donations, number of children, people in the household, whether they are smokers, if they own any pets and a range of other examples.

While the database did not include Social Security numbers or financial data, the data could be used by hackers in spear phishing campaigns, telephone scams and social engineering attacks. Around half the records contained email addresses, making it particularly valuable to hackers.

Troia said he is certainly not the only individual who has searched for Elasticsearch databases, and the database was easy to find using Shodan: A popular search engine with white hat and black hat hackers. It is unknown whether anyone else located the database, but Troia explains that it would not be hard for anyone to locate it. He could not be sure how long the database had been exposed online, but said it was at least two months.

After discovering an IP address which he believed belonged to the owner, Troia contacted two hosting companies, one of which notified Exactis. Troia also alerted the FBI. Exactis made contact with Troia and the database has now been made safe and is no longer accessible.

At 340 million records, this the biggest data breach of 2018 and one of the largest breaches ever found. The breach is more than twice the size of the Experian data breach of last year, although not on the same level of the Yahoo data breach that included around 3 billion records. However, the types of information exposed potentially make the breach far more significant than Yahoo’s.

A database including such detailed data on consumers should not have been left exposed. Safeguards should have been in place to alert the company that security protections had either been turned off or had not been enabled.

This security breach certainly is remarkable out in terms of scale, but it is sadly only one of many that have been discovered in recent months involving databases left openly accessible over the Internet.

Link copied to clipboard
Photo of author

Posted by

Elizabeth Hernandez

Elizabeth Hernandez is a news writer on Defensorum. Elizabeth is an experienced journalist who has worked on many publications for several years. Elizabeth writers about compliance and the related areas of IT security breaches. Elizabeth's has a focus data privacy and secure handling of personal information. Elizabeth has a postgraduate degree in journalism. Elizabeth Hernandez is the editor of HIPAAZone. https://twitter.com/ElizabethHzone