Marketing Firm Exposes 340 Million Records on US Consumers2 Terabyte Database Includes Up To 150 Fields With US Consumers' Data
A computer security researcher has discovered a vast marketing database containing 340 million records on U.S. consumers, including such information as credit worthiness, political donations, stock ownership and the ages of their children.
The database, which is 2 terabytes in size, was left exposed to the internet without authentication, says Vinny Troia, who runs the New York-based consultancy NightLion Security. He says the data belongs to the marketing company Exactis, which is based in Palm Coast, Florida.
"You don't run across data sets that are 2 terabytes large often," Troia tells Information Security Media Group.
Troia's discovery adds to the ongoing problem of organizations that deploy technology - from Mongo DB instances to Amazon S3 storage buckets - but misconfigure them, thus leaving them and the data they store exposed to the internet, where anyone might access them.
Uber, for example, exposed 57 million riders and drivers by accidently leaving login credentials on a private GitHub site used by Uber's engineers. Hackers successfully obtained the credentials and used them to accsess massive amounts of Uber data from its Amazon Web Services account (see Uber Concealed Breach of 57 Million Accounts for a Year).
Data Fields Galore
In the case of the Exactis data exposure, each exposed record contains up to 150 fields describing a person. Troia says the fields include basic biographical data, such as names, addresses and phone numbers. About half of the records also contain email addresses, he says.
From there, however, the data gets much more detailed: the number of children in a household, the ages of those children, what type of payment cards a person holds, an estimation of their home's value, whether they own stock, their hobbies, their mortgage company, credit rating, ethnic group, political donations and religion, among many others.
"There are so many fields," Troia says. "I was impressed to see that much information per person. It's very unusual to see."
The database does not contain Social Security numbers, bank account details or other direct financial account information, Troia says. But he says the personal data in the Exactis database would still be useful for spam or fraud.
"The only piece of information that's missing is a Social Security number, which I'd say isn't that hard to find," Troia says.
Exactis immediately shut off access to the database after Troia notified the company. It's unknown how long the data was exposed, but Troia says it was at least two months. It's also unknown if parties other than Troia may have accessed it.
Easy To Spot
Troia says around two months ago he was looking for instances of Elasticsearch, a kind of high-performance database. He used Shodan, which is a search engine designed to search for internet-connected devices.
Shodan showed 7,000 instances of Elasticsearch that were facing the internet, Troia says. From there, he began investigating what kind of data was exposed.
"I wrote a script to literally query all of them and put the output into a file and then looked for specific keywords within the tables that might be interesting like name, date of birth," he says. The database belonging to Exactis "wasn't hard to spot."
But Troia says that figuring out the owner of the database wasn't easy. He just had an IP address, and contacted two different hosting companies in an attempt to identify their client. One of the hosting providers called Exactis, which then got in touch with Troia.
"They [Exactis] were happy I told them," Troia says. "I can't say one way or the other whether or not they seemed surprised."
Officials from Exactis couldn't immediately be reached for comment by phone or email. But the company's website gives some insight into the amount and type of data it collects.
Exactis is data broker, and its trade is supplying other businesses with data about their prospective sales leads or existing customers. The company claims to have "one of the largest and most respected in the data marketing industry."
The company says its "data cloud" contains 3.5 billion consumer, business and digital records. It claims to have an email database of 500 million consumer and 16 million business records.
"By analyzing the empirical evidence in your customer database, Exactis can identify the most descriptive traits and segments of your ideal customer, and use that information to understand behaviors, target unique segments, even determine the mix of products or services that are most effectively marketed together," it claims.
The sources for the data harvested by Exactis are unclear. But Exactis says its data warehouse has been built on "hundreds of compiled and proprietary data sources," including behavioral data.
Exactis owns other platforms, including AutoAppend, which tries to match an email address to a contact. It also runs Data Verification, which is a service that helps companies confirm email addresses and weed out invalid ones.
String of Internet-Exposed Databases
Exactis isn't the only firm to have left sensitive information in internet-exposed databases lacking encryption.
In recent years, security researcher Chris Vickery, in particular, has turned up dozens of firms that have left their databases exposed, including at a New York-based medical practice, Dow Jones, as well as Verizon, WWE, Scottrade and Deep Root Analytics, a data analytics firm aligned with the Republican Party, among many others (see 198 Million US Voter Records Left Online For Two Weeks).
Executive Editor Mathew Schwartz also contributed to this article.