Exactis Exposes Non-Financial Data On Close To 340M Americans

Exactis, the marketing and data aggregation firm, was the subject of a data breach in which customer information ended up on the Internet for hackers or anyone else to view.

According to a report in Wired citing security researcher Vinny Troia, the researcher discovered earlier this month that a database with nearly 340 million records was accessible on the company’s server. The data included personal information of hundreds of millions of adults in the country and millions of businesses. It’s not clear how many individuals the data was comprised of. Wired noted that it doesn’t appear to include sensitive information such as a credit card account number or social security number. But it was close to two terabytes of data, including phone numbers, addresses, emails and other information such as interests, habits and the number of children a person has.

“It seems like this is a database with pretty much every U.S. citizen in it,” Troia, founder of Night Lion Security, said in the report. He said that nearly every person that he searched for in the database he was able to find. “I don’t know where the data is coming from, but it’s one of the most comprehensive collections I’ve ever seen.” Troia noted that while it’s not clear if any hackers have accessed the database, he said it’s not too difficult to find —he did it with Shodan, an internet search tool. He was interested in the security of ElasticSearch databases and quickly uncovered the unprotected Exactis database. “I’m not the first person to think of scraping ElasticSearch servers,” he told Wired. “I’d be surprised if someone else didn’t already have this.”

Exactis was alerted to the leak last week — as was the FBI, noted the report. The database is now protected. The company did not respond to inquiries by Wired.  Although the database didn’t contain any information about a person’s financial accounts or their social security numbers, it was detailed enough to help hackers trick consumers into giving up logons and passwords. Marc Rotenberg, executive director of nonprofit Electronic Privacy Information Center, said that while there isn’t a big chance that hackers could commit financial fraud, there is a chance the hackers can profit in other ways.