This is the treasure I need. Anyone know where to get it? The number of records available for anyone to download in plaintext from a breach at Verifications.io may have been closer to two billion. Regarding the 800m user leak from Verifications.io.
What data was leaked?
The security researcher who made the discovery, Bob Diachenko, says that 'although not all records contained the detailed profile information about the email owner, a large amount of records were very detailed.' That detail included commonplace breach data such as email addresses and phone numbers, but went far beyond the basics as well. Information such as dates of birth, mortgages amounts and interest rates and social media accounts related to the emails in question. But it doesn't stop there, you can also throw in basic credit scoring data, company names and revenue figures as well.
Should you be worried?
Yes, of course you should. This was, after all, a massive leak of the kind of personal information that would be a goldmine for the phishers and spammers of this world. However, that concern can be diluted by a number of factors. Not least there's the small matter that nobody has found any compelling evidence that the data has actually been used for any criminal purpose as of yet. Although the databases were accessible for some time, as soon as the problem was disclosed to Verifications IO the service was taken offline and remains so. Which means that bad guys alerted by this news won't be able to exploit it. What's just as important as what was in the breach is what wasn't. So, there were no social security numbers, no credit card numbers, no passwords. And, importantly, this was a leak not a hack: white hat researchers found the data was accessible rather than black hats looking to exploit it.
Can you mitigate your risk?
Yes, if you apply the basics of good cybersecurity hygiene. Which means being alert to the phishing risk, applying more skepticism than usual to unexpected emails, text messages, social media communications and even snail mail that want you to check a link out, open an attachment and so on. If threat actors have got hold of this data then it provides all the ammunition they require in order to appear like a trustworthy organization in their communications. If the communication really does sound genuine and you are tempted to respond as instructed, don't. Instead, I always advise folk to take the extra minute to try contacting the sender through another means: if it's a bank or commercial concern then google them and browse to their site using that address and not the message link, ditto with phone numbers. Remember that banks won't contact you by email regarding a security matter, nor will they ask for your account details over the phone. Don't let your security sense slip just because something sounds plausible, especially if a loss of money has been mentioned!
Update
Following publication of this story I have had conversations with Vinny Troia, founder of NightLion Security and one of the researchers who discovered the leak, as well as Andrew Martin, the founder and CEO at DynaRisk whose researchers came up with the two billion records figure. After Troia got in touch to dispute the bigger figure, I had an email conversation with Martin. 'I think the confusion has arisen because of different ways of interpreting the results' Martin stated, continuing 'the original analysis done by the other researchers is correct. They appear to have analyzed the 'mainEmailDatabase' and found 808m records.' Martin then explained that DynaRisk analyzed the other three databases, namely 'EmailScrub, PyEmail, VerifiedEmails' which were to be found on the same server. 'These three additional databases have 1.278 billion records, adding them together we got over two billion records.' Having now had a chance to parse the records from the other three databases for email addresses, Martin says that there are an additional 191 million bringing the total of email addresses alone to 999 million.
However, during an online chat session, Troia disputes those numbers. 'We parsed and checked all of those' Troia insists, continuing 'a lot are garbage email addresses and duplicates; after we de-duped we came to 800 million.' Troia also tells me that has double-checked the data with both Bob Diachenko and Troy Hunt and 'our numbers are all the same…' I went back to Martin with this information and he told me that 'their original research just discusses the records found in mailEmailDatabase and counts those records.'
While there is a sense of stalemate concerning the actual numbers here, I think I can leave the last word with Troia who points out that even at 800 million records this is still a pretty massive leak. 'From the sound of it a lot of other people were able to access this data before we did' Troia admits, concluding 'I know of at least two others so there's a fairly good chance some bad guys got hold of something…'
You've probably never heard of the marketing and data aggregation firm Exactis. But it may well have heard of you. And now there's also a good chance that whatever information the company has about you, it recently leaked onto the public internet, available to any hacker who simply knew where to look.
Earlier this month, security researcher Vinny Troia discovered that Exactis, a data broker based in Palm Coast, Florida, had exposed a database that contained close to 340 million individual records on a publicly accessible server. The haul comprises close to 2 terabytes of data that appears to include personal information on hundreds of millions of American adults, as well as millions of businesses. While the precise number of individuals included in the data isn't clear—and the leak doesn't seem to contain credit card information or Social Security numbers—it does go into minute detail for each individual listed, including phone numbers, home addresses, email addresses, and other highly personal characteristics for every name. The categories range from interests and habits to the number, age, and gender of the person's children.
'It seems like this is a database with pretty much every US citizen in it,' says Troia, who is the founder of his own New York-based security company, Night Lion Security. Troia notes that almost every person he's searched for in the database, he's found. And when WIRED asked him to find records for a list of 10 specific people in the database, he very quickly found six of them. 'I don’t know where the data is coming from, but it’s one of the most comprehensive collections I’ve ever seen,' he says.
In the Open
While it's far from clear if any criminal or malicious hackers have accessed the database, Troia says it would have been easy enough for them to find. Troia himself spotted the database while using the search tool Shodan, which allows researchers to scan for all manner of internet-connected devices. He says he'd been curious about the security of ElasticSearch, a popular type of database that's designed to be easily queried over the internet using just the command line. So he simply used Shodan to search for all ElasticSearch databases visible on publicly accessible servers with American IP addresses. That returned about 7,000 results. As Troia combed through them, he quickly found the Exactis database, unprotected by any firewall.
'I’m not the first person to think of scraping ElasticSearch servers,' he says. 'I’d be surprised if someone else didn't already have this.'
Troia contacted both Exactis and the FBI about his discovery last week, and he says the company has since protected the data so that it's no longer accessible. Exactis did not respond to multiple calls and emails from WIRED asking for comment on its data leak.
Aside from the sheer breadth of the Exactis leak, it may be even more remarkable for its depth: Each record contains entries that go far beyond contact information and public records to include more than 400 variables on a vast range of specific characteristics: whether the person smokes, their religion, whether they have dogs or cats, and interests as varied as scuba diving and plus-size apparel. WIRED independently analyzed a sample of the data Troia shared and confirmed its authenticity, though in some cases the information is outdated or inaccurate.
'I don’t know where the data is coming from, but it’s one of the most comprehensive collections I’ve ever seen.'
Vinny Troia, Night Lion Security
While the lack of financial information or Social Security numbers means the database isn't a straightforward tool for identity theft, the depth of personal info nonetheless could help scammers with other forms of social engineering, says Marc Rotenberg, executive director of the nonprofit Electronic Privacy Information Center. 'The likelihood of financial fraud is not that great, but the possibility of impersonation or profiling is certainly there,' Rotenberg says. He notes that while some of the data is available in public records, much of it appears to be the sort of nonpublic information that data brokers aggregate from sources like magazine subscriptions, credit card transaction data sold by banks, and credit reports. 'A lot of this information is now routinely gathered on American consumers,' Rotenberg adds.
- A Brutal Murder, a Wearable Witness, and an Unlikely Suspect
- Richard Stallman and the Fall of the Clueless Nerd
- Don't Storm Area 51, Begs the Webmaster of the UFO Kingdom
Advertisement
Without confirmation from Exactis, the precise number of people affected by the data leak remains tough to count. Troia found two versions of Exactis' database, one of which appears to have been newly added during the period he was observing its server. Both contained roughly 340 million records, split into about 230 million records on consumers and 110 million on business contacts. On its website, Exactis boasts that it possesses data on 218 million individuals, including 110 million US households, as well a total of 3.5 billion 'consumer, business, and digital records.'
'Data is the fuel that powers Exactis,' the site reads. 'Layer on hundreds of selects including demographic, geographic, lifestyle, interests, and behavioral data to target highly specific audiences with laser-like precision.'
A Database Dilemma
Massive leaks of user databases that are accidentally left accessible on the public internet have nearly reached epidemic status, affecting everything from health information to password caches stored by software firms. One particularly prolific researcher, security firm UpGuard's Chris Vickery, has discovered those database leaks again and again, from 93 million Mexican citizens' voter registration records to a list of 2.2 million 'high-risk' people suspected of crime or terrorism, known as the World Check Risk Screening database.
But if the Exactis leak does in fact include 230 million people's information, that would make it one of the largest in years, bigger even than 2017's Equifax breach of 145.5 million people's data, though smaller than the Yahoo hack that affected 3 billion accounts, revealed last October. (It's worth emphasizing in the case of the Exactis leak, unlike in those earlier data breaches, the data wasn't necessarily stolen by malicious hackers, only publicly exposed on the internet.) But like the Equifax breach, the vast majority of people included in the Exactis leak likely have no idea they're in the database.
EPIC's Marc Rotenberg argues that the timing of the breach, just after the implementation of Europe's General Data Protection Regulation, highlights the persistent lack of regulation around privacy and data collection in the US. A GDPR-like law in the US, he notes, might not have prevented Exactis from collecting the data it later leaked, but it might have required the company to at least disclose to individuals what sort of data it collects about them and allow them to limit how that data is stored or used.
'If you have a profile on someone, that person should be able to see their profile and limit its use,' Rotenberg says. 'It’s one thing to subscribe to a magazine. It’s another for a single company to have such a detailed profile of your entire life.'
More Great WIRED Stories
- PHOTO ESSAY: Seeking eternal life through liquid nitrogen
- The mission to build the ultimate burger bot
- These are the best tablets for every budget
- China won’t solve the world's plastics problem anymore
- The secret racy module that almost ruined D&D
- Looking for more? Sign up for our daily newsletter and never miss our latest and greatest stories
Andy Greenberg is a senior writer for WIRED, covering security, privacy, information freedom, and hacker culture. He’s the author of the forthcoming book Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers, out November 5. Greenberg's reporting on Ukraine's cyberwar has won a Gerald... Read more