Florida-based marketing firm Exactis has reportedly exposed a massive database containing nearly 340 million individual records and personal data of hundreds of millions of people and businesses on a publicly accessible server. Security researcher Vinny Troia, founder of the New York-based security firm Night Lion Security, discovered the database that contained nearly 2 terabytes of data including 230 million records on American adults and 110 million records on US business contacts, the Wired reports.
The exposed database reportedly included a slew of personal information including phone numbers, home and email addresses, interests and habits for every name. It even included the number, age and gender of their children and over 400 variables on a wide range of characteristics such as smoking habits, religion, any known pets, etc. Credit card data and Social Security numbers was not leaked.
"It seems like this is a database with pretty much every US citizen in it," Troia told the Wired. "I don’t know where the data is coming from, but it’s one of the most comprehensive collections I’ve ever seen."
It is not clear how long the database has been exposed for or if it has been accessed by any malicious actors. It is also not immediately clear exactly how many people and businesses have been affected in the breach.
According to Exactis' website, it has over 3.5 billion consumer, business and digital records.
However, Troia noted that he was able to find the database while using Shodan - a popular search tool that has been used by both researchers and hackers alike to scan for internet-connected devices. Using Shodan, Troia searched for all ElasticSearch databases stored on publicly accessible servers with US IP addresses. Among the 7000 search results returned, Troia spotted the Exactis database that was left unprotected by any firewall.
Troia reportedly notified both Exactis and the FBI about the exposed database that has since been secured. The company has yet to publicly respond to the reported data leak.
Although the exposed data did not contain any financial information, the exhaustive personal and lifestyle details leaked could be leveraged in targeted social-engineering and phishing attacks.
The exposed database comes as the latest in a string of leaks wherein a server that contains a vast trove of personal and sensitive information has been left unsecured online and available for anyone to access, if they know where to look.
Earlier this year, influencer marketing firm Octoly exposed the personal data of over 12,000 prominent social media influencers from YouTube, Instagram, Twitter and Twitch, including their street addresses, apartment numbers, phone numbers and more.
In June 2017, conservative data firm Deep Root Analytics accidentally exposed over a terabyte of political data of more than 198 million US citizens on an Amazon server without password protection. A few months later, security firm TigerSwan inadvertently the personal data, resumes and expertise of hundreds of individuals, many of whom had "top secret" clearances and access to highly-classified information.