A database of U.S. consumer information has been left unprotected online by the marketing company Exactis. With 340 million records, this is the largest data breach of 2018.
While you may not be familiar with the Florida-based data broker Exactis, it is likely that the firm holds information about you. The firm manages 3.5 billion consumer, company, and digital records. Its email database contains 500 million consumer emails and 16 million company emails.
One database managed by Exactis includes approximately 340 million records, comprising 230 million consumer records and 110 million company records. This database was recently discovered to have been left exposed on the Internet, accessible without any authentication. Anyone who knew where to look could have accessed the database, and at least one individual did.
Security expert Vinny Troia, who operates the New York consultancy firm NightLion Security, was searching online for instances of Elasticsearch databases. Troia sought to understand the security of these databases, which are designed to be easily queried over the Internet. He used the search engine Shodan, which allows users to find specific types of computers connected to the Internet.
Troia found more than 7,000 Elasticsearch databases visible on publicly accessible servers with U.S. IP addresses. He then set about determining which, if any, contained sensitive information. He wrote a script to query these databases for keywords indicating they contained sensitive data, such as fields for date of birth.
One database stood out due to its volume, containing approximately 2 terabytes of data. This database was not protected by a firewall and could be accessed without authentication. Troia discovered that it included a vast number of detailed consumer records. He remarked, “It seems like this is a database with pretty much every U.S. citizen in it… it’s one of the most comprehensive collections I’ve ever seen.”
The records contained up to 150 data fields, including highly detailed consumer information such as names, addresses, phone numbers, email addresses, and descriptions of the individual. This included estimated home values, hobbies, mortgage providers, ethnic groups, stock ownership, religion, political donations, number of children, household members, smoking status, pet ownership, and more.
Although the database did not include Social Security numbers or financial data, the information could be exploited by hackers for spear phishing campaigns, telephone scams, and social engineering attacks. Approximately half the records contained email addresses, making the database particularly valuable to hackers.
Troia indicated that he was likely not the only person who had searched for Elasticsearch databases, as the database was easily found using Shodan, a popular search engine among both white hat and black hat hackers. It is unknown whether anyone else located the database, but Troia noted that it would not have been difficult for others to find. He could not ascertain how long the database had been exposed online, but estimated it was at least two months.
After identifying an IP address that he believed belonged to the owner, Troia contacted two hosting companies, one of which notified Exactis. He also alerted the FBI. Exactis then contacted Troia, and the database has since been secured and is no longer accessible.
With 340 million records, this is the largest data breach of 2018 and one of the largest breaches ever recorded. The breach is more than twice the size of last year’s Experian data breach, though not as large as the Yahoo data breach, which involved approximately 3 billion records. However, the nature of the information exposed potentially makes this breach far more significant than Yahoo’s.
A database containing such detailed consumer information should not have been left exposed. Safeguards should have been in place to alert the company if security protections were disabled or not enabled.
While this security breach is remarkable in terms of scale, it is, unfortunately, one of many similar incidents in recent months involving databases left openly accessible on the Internet.
