Marketing firm Exactis leaks 340 million files containing private data

Adjust Comment Print

On Wednesday, a security researcher named Vinny Troia said he stumbled on a massive database containing the detailed records of 340 million people -all of which was mistakenly made available online. The information was stored by data broker Exactis, based in Palm Coast, Florida, and appears to include private information on adults as well as businesses.

The records include home addresses, phone numbers, email addresses and other sensitive information for named individuals.

More news: Lebron James lands in Los Angeles Saturday

While the files did not contain any financial information or social security numbers, they did hold wildly personal information such as interests, habits, and the number, age, and gender of any children of the individual. He was looking for ElasticSearch databases that can be seen on public servers with U.S. IP addresses. For some reason, Exactis failed to place the database behind a firewall, leaving it open for anyone to access. People who did so and want to make any big purchase may find the same. (That's according to the Google search description-Exactis' website is now unavailable, presumably because people are rushing to figure out exactly who leaked their information.) This kind of data is valuable to marketers, sure, but it's also useful to hackers who want to target specific people. This means that people don't have to worry about their credit card or debit card information being included in the Exactis data leak. He also said Exactis has now protected the data and it is no longer accessible publicly.

Though the data seems to be secure now, there's no telling how many people - if any - got access to the database. This is significantly more than those exposed during the Equifax breach previous year.

More news: Maradona doubts Argentina players pick Sampaoli's team

A marketing firm may be responsible for leaking 340 million data records, including information on 230 million Americans, this week. "The problem with most enterprises today", said Ruchika Mishra, Balbix director of products and solutions, "is that they don't have the foresight and visibility into the hundreds of attack vectors - be it misconfigurations, employees at risk of being phished, admin using credentials across personal and business accounts - that could be exploited".

On the company's website,, the firm describes itself as a "leading compiler and aggregator of premium business and computer data", storing "over 3.5 billion records (updated monthly)".

More news: Gareth Southgate defends resting England players for 'biggest game for a decade'

It's certainly possible, given that the Exactis database was indexed online, according to Troia, who leads his own security firm Night Lion Security. Speaking with Wired, the president of the Electronic Privacy Information Center said there's still a chance fraudsters could have profiled and impersonated users.