Over 1.2 billion records of personal data have leaked online in a massive security breach. The leaked data contains email IDs, employers, social media profiles, phone numbers, names, job titles and even geographic locations.
Discovered by security researchers Vinny Troia and Bob Diachenko, the exposed data comes with an index which suggests it was essentially sourced from a data enrichment company called People Data Labs. The unprotected Elasticsearch server contained as many as 622 million unique email addresses, researchers added.
“The server was not owned by PDL and it’s believed a customer failed to properly secure the database. Exposed information included email addresses, phone numbers, social media profiles and job history data,” read an email notification from Have I been pwned.
Interestingly enough, there’s very little information about PDL which claims to build “people data.” According to its LinkedIn profile, the San Francisco-based company has dataset of 1.5 billion unique person profiles which can be used to “build products, enrich person profiles, power predictive modeling/AI, analysis, and more.”
The date of breach is October 16, 2019.
While the leaked information may seem general in nature, these can be very well exploited by cybercriminals to launch phishing attacks, spam and even sell them on the dark web.
“…regardless of how well these data enrichment companies secure their own system, once they pass the data downstream to customers it’s completely out of their control. My data – almost certainly your data too – is replicated, mishandled and exposed and there’s absolutely nothing we can do about it. Well, almost nothing…,” wrote security researcher Troy Hunt in a blog post.
“The recurring theme I’m finding with exposed data of this nature is increasing outrage that the data aggregator obtained and used personal information in a fashion the owner of the data (i.e. me) didn’t consent to. It’s not about how public the data might be through the channels people choose to publish it, rather it’s about the use of the data outside its intended context,” he added.