Data Breach Sees Over 1Billion Individuals Compromised
A significant data breach has been exposed, where data from over one billion individuals has been harvested online.
The breach was discovered in mid-October by security researchers Bob Diachenko and Vinny Troia, when they found an open server from two data enrichment firms’ contained four billion user accounts, across more than 4TB of data.
Data enrichment firms sell access to large stores of data that they have gained from many third-party sources, enabling companies to gain deeper insights into current and potential customers.
Vinny Troia, Chief of Threat Intelligence at Data Viper, explained:
“A total count of unique people across all data sets reached more than 1.2billion people, making this one of the largest data leaks from a single source organisation in history. The leaked data contained names, email addresses, phone numbers, LinkedIn and Facebook profile information.
“The discovered Elasticsearch server containing all of the information was unprotected and accessible via web browser at http://22.214.171.124:9200. No password or authentication of any kind was needed to access or download all of the data.”
Troy Hunt, who runs the HaveIBeenPwned? breach notification site, said the case highlights a real challenge at the heart of the data enrichment industry. He said:
“Regardless of how well these data enrichment companies secure their own system, once they pass the data downstream to customers it’s completely out of their control. My data — almost certainly your data too — is replicated, mishandled and exposed and there’s absolutely nothing we can do about it. Well, almost nothing.”
Some organisations’ privacy policies enable users to find out what data the company holds on them. They can also ask for this data to be deleted. Individuals need to contact companies individually to find out about their policy.