You might have never heard of Exactis, a marketing and data aggregation firm, but they know you. Last summer in June 2018, Exactis inadvertently leaked 340 million records of personal data.
Millions of Records Exposed
The data breach you never heard of went under the radar, but it may impact you. Multiple terabytes of personal information were found by a security researcher, Vinny Troia of Night Lion Security, that impacted millions of American adults and millions of businesses.
“It seems like this is a database with pretty much every US citizen in it,” said Troia.
Why Does Exactis Have This I
Exactis collected this data for their service as a compiler and aggregator of premium business & consumer data, which they then sell for profiling and marketing purposes, according to HaveIBeenPwned site owner, Troy Hunt. 132 million unique email addresses were added to Hunt’s database of exposed information.
Exactis exposed 340 million records of personal data that they were collecting. The compromised data included the following: Credit status information, Dates of birth, Education levels, Email addresses, Ethnicities, Family structure, Financial investments, Genders, Homeownership statuses, Income levels, IP addresses, Marital statuses, Names, Net worths, Occupations, Personal interests, Phone numbers, Physical addresses, Religions, Spoken languages.
How Did This Happen?
Troia investigated the Exactis breach. He used a search tool, Shodan, which allowed him to scan for internet-connected devices. He used Shodan to test the security of ElasticSearch, a popular database designed to be easily queried over the internet using just the command line.
Troia used Shodan to search for all ElasticSearch databases visible on publicly accessible servers with American IP addresses. With 7,000 results, Troia combed through them and found that Exactis’s database was unprotected by any firewall.
Secure Your Digital Life
Since the data breach did not contain financial information or Social Security numbers, the likelihood of financial fraud is not high. With personal information like full names and home addresses, social engineering attacks are the main concern.
Beware of suspicious sounding emails that may include personal information about you. Phishing scams are on the rise, and they are more convincing than before. Spear phishing attacks are personalized to their target to reveal confidential information.
You may believe you are getting an email from your bank to change your password due to strange activity. When you click on the link, it may lead you to a site posing as your banking website (spoofed site) as the attacker waits to see your real password and create havoc in your life.
Security Awareness is Key
Remember to hover over links to view URLs before clicking, but it is best to type in web addresses yourself or go to a trusted bookmark tab. Never download attachments you were not expecting. And if it seems too good to be true, it usually is. The best way to secure your digital life is to learn the psychology behind hacker’s tricks, learn more here.