News

Marketing Firm Exactis Leaks Personal Info of Almost Entire US

340 Million Individual Records

Exactis is not a company name many Americans are familiar with. However, judging by the size of the latest data leak discovered by security researchers, they certainly know many Americans. Exactis is a marketing data and aggregation firm, based out of Palm Coast, Florida.

Researcher Vinny Troia of Night Lion Security discovered earlier this month that Exactis’ database was exposed on a publicly accessible server. This database contains over 2 Terabytes of data, with close to 340 million individual records. Thankfully, it does not contain any Social Security or credit card information.

However, Exactis specializes in marketing data. So this database contains relevant information like names, phone numbers, home addresses, and email addresses.

Plus, each record even contains entries that go far beyond contact information and public records. This includes more than 400 variables on a vast range of specific characteristics. This includes factors such as as whether a person smokes, whether they are religious, or even if they have dogs or cats, and more.

Where exactly they get their information is unclear, which certainly makes the whole affair even scarier. “I don’t know where the data is coming from, but it’s one of the most comprehensive collections I’ve ever seen,” says Troia.

How Does Something Like This Happen?

It is security researchers like Troia’s job to find possible network vulnerabilities like these. However, in the case of Exactis, it was not exactly difficult to find. Their records were all publicly available and the database was not behind a Firewall.

Troia reached out to both Exactis and the FBI about his discovery last week. So the company has since protected the data, rendering it inaccessible. However, Troia states that it is surprising if someone else didn’t already accessed the data prior to him finding it.

“I’m not the first person to think of scraping ElasticSearch servers,” he says. Referring to the fact that all it took was simply to use Shodan to search for all ElasticSearch databases visible on publicly accessible servers with American IP addresses.

How Can This Criminals Use This Information?

Identity theft is thankfully not possible due to the absence of social security numbers or credit card data in the database. However, due to the minute details and behavioural characteristics in the data leak, scammers can use it for social engineering.

While this may not be as massive as Yahoo leaking 3 billion user account information, it is even bigger than the Equifax breach affecting 145 million Americans. Just like that Equifax breach, many users with compromised information are even aware their information is in the database.

Ron Perillo

Disqus Comments Loading...

Recent Posts

Trust Gaming GXT 609 Zoxa 2.0 PC Speakers

SOUNDS GREAT – Full stereo sound (12W peak power) gives your setup a booming audio…

4 hours ago

PowerA Wired Controller for Nintendo Switch

Special Edition Yoshi design Ergonomic controller shape with Nintendo Switch button layout Detachable 10ft (3m)…

4 hours ago

Logitech G Saitek PRO Flight Rudder Pedals

Fluid Motion: These flight rudder pedals are smooth and accurate that enable precise control over…

4 hours ago

Logitech G Saitek Farm Sim Controller

Heavy Equipment Bundle: Includes a steering wheel for heavy machinery, gas and brake pedals, and…

4 hours ago

Razer Ornata V3 X – Low Profile Gaming Keyboard

Low-profile Keys for an ergonomic gaming experience. With slimmer keycaps and shorter switches, enjoy natural…

4 hours ago

Glorious Gaming Model O Wired Gaming Mouse

Size & style: Ambidextrous lightweight mouse for gaming. Built for speed, control and comfort, with…

4 hours ago