You've probably never heard of the marketing and data aggregation firm Exactis. But it may well have heard of you. And now there's also a good chance that whatever information the company has about you, it recently leaked onto the public internet, available to any hacker who simply knew where to look, The Wired reports.
Earlier this month, security researcher Vinny Troia discovered that Exactis, a data broker based in Palm Coast, Florida, had exposed a database that contained close to 340 million individual records on a publicly accessible server. The haul comprises close to 2 terabytes of data that appears to include personal information on hundreds of millions of American adults, as well as millions of businesses. While the precise number of individuals included in the data isn't clear—and the leak doesn't seem to contain credit card information or Social Security numbers—it does go into minute detail for each individual listed, including phone numbers, home addresses, email addresses, and other highly personal characteristics for every name. The categories range from interests and habits to the number, age, and gender of the person's children.
"It seems like this is a database with pretty much every US citizen in it," says Troia, who is the founder of his own New York-based security company, Night Lion Security. Troia notes that almost every person he's searched for in the database, he's found. And when Wired asked him to find records for a list of 10 specific people in the database, he very quickly found six of them. "I don’t know where the data is coming from, but it’s one of the most comprehensive collections I’ve ever seen," he says.
While it's far from clear if any criminal or malicious hackers have accessed the database, Troia says it would have been easy enough for them to find. Troia himself spotted the database while using the search tool Shodan, which allows researchers to scan for all manner of internet-connected devices. He says he'd been curious about the security of ElasticSearch, a popular type of database that's designed to be easily queried over the internet using just the command line. So he simply used Shodan to search for all ElasticSearch databases visible on publicly accessible servers with American IP addresses. That returned about 7,000 results. As Troia combed through them, he quickly found the Exactis database, unprotected by any firewall.
"I’m not the first person to think of scraping ElasticSearch servers," he says. "I’d be surprised if someone else didn't already have this."
Troia contacted both Exactis and the FBI about his discovery last week, and he says the company has since protected the data so that it's no longer accessible. Exactis did not respond to multiple calls and emails from Wired asking for comment on its data leak.
Aside from the sheer breadth of the Exactis leak, it may be even more remarkable for its depth: Each record contains entries that go far beyond contact information and public records to include more than 400 variables on a vast range of specific characteristics: whether the person smokes, their religion, whether they have dogs or cats, and interests as varied as scuba diving and plus-size apparel. Wired independently analyzed a sample of the data Troia shared and confirmed its authenticity, though in some cases the information is outdated or inaccurate.
While the lack of financial information or Social Security numbers means the database isn't a straightforward tool for identity theft, the depth of personal info nonetheless could help scammers with other forms of social engineering, says Marc Rotenberg, executive director of the nonprofit Electronic Privacy Information Center. "The likelihood of financial fraud is not that great, but the possibility of impersonation or profiling is certainly there," Rotenberg says. He notes that while some of the data is available in public records, much of it appears to be the sort of nonpublic information that data brokers aggregate from sources like magazine subscriptions, credit card transaction data sold by banks, and credit reports. "A lot of this information is now routinely gathered on American consumers," Rotenberg adds.
Without confirmation from Exactis, the precise number of people affected by the data leak remains tough to count. Troia found two versions of Exactis' database, one of which appears to have been newly added during the period he was observing its server. Both contained roughly 340 million records, split into about 230 million records on consumers and 110 million on business contacts. On its website, Exactis boasts that it possesses data on 218 million individuals, including 110 million US households, as well a total of 3.5 billion "consumer, business, and digital records."
"Data is the fuel that powers Exactis," the site reads. "Layer on hundreds of selects including demographic, geographic, lifestyle, interests, and behavioral data to target highly specific audiences with laser-like precision."