Profiles of 1.2 billion individuals were left exposed on a single server that contained everything from social media accounts to phone numbers and email addresses.
The data trove contained millions of social media profiles, nearly 50 million phone numbers and 622 million email addresses – making it one of the largest leaks from a single source in history.
The leak was discovered by a dark web researcher who said the server shared enough information that hackers could easily impersonate the victims online.
Vinny Troia made the discovery in October while looking for exposures with fellow security researcher Bob Diachenko on the web scanning services BinaryEdge and Shodan, as first reported on by Wired.
‘This is the first time I’ve seen all these social media profiles collected and merged with user profile information into a single database on this scale,’ Troia told Wired.
‘From the perspective of an attacker, if the goal is to impersonate people or hijack their accounts, you have names, phone numbers, and associated account URLs.’
Approximately 1.2 billion profiles containing everything from social media accounts to phone numbers and email address were left exposed on a single server. The data trove contained nearly 50 million phone numbers and 622 million email addresses, dubbing it ‘one of the largest data leaks from a single source organization in history’
He and Diachenko stumbled upon four billion accounts, which belonged to the 1.2 billion individuals, spanning more than four terabytes of data, but were unable to locate the culprit behind the leak -the server could only be traced back to Google Cloud Services.
There was also no way to know if the data had been downloaded or found by anyone else prior to his discovery, Troia noted in a blog post.
‘The lion’s share of the data is marked as ‘PDL’, indicating that it originated from People Data Labs [PDL],’ he wrote.
‘However, as far as we can tell, the server that leaked the data is not associated with PDL.’
As soon as you open PDL’s website, the page highlights that the firm has ‘a dataset of resume, contact, social, and demographic information for over 1.5 Billion unique individuals.’
‘With just a few lines of code, you can begin enriching anywhere from dozens to billions of records with over 150 data points.’
According to Wired, this massive dataset includes ‘more than a billion personal email addresses, more than 420 million LinkedIn URLs, more than a billion Facebook URLs and IDs, and more than 400 million phone numbers, including more than 200 million valid US cellphone numbers.’
The data trove contained millions of social media profiles, from Facebook and LinkedIn, nearly 50 million phone numbers and 622 million email addresses -dubbing it ‘one of the largest data leaks from a single source organization in history’
However the firm’s cofounder, Sean Thorne, noted that his company does not own the server that hosted the exposed data.
‘The owner of this server likely used one of our enrichment products, along with a number of other data enrichment or licensing services,’ Thorne said.
‘Once a customer receives data from us, or any other data providers, the data is on their servers and the security is their responsibility.
Although PDL appears to be a prime suspect, Troia, as far as he can tell, does not believe the firm is associated with the server.
However, he did find that one of the datasets was labeled ‘OXY and every record located in the file had the same tag.
Troia suggests that this information could be linked to the data broker Oxydata, which allegedly has four terabytes of data that contain 380 million profiles on consumers and employees in 85 industries and 195 countries around the world.
The researcher said he reported the leak to the FBI and within a few hours of sharing the details, the server was gone and the data was taken offline.
VINNY TROIA IS A DATA BREACH DETECTIVE: HE DISCOVERED A SEPARATE BREACH IN 2018
Security researcher Vinny Troia discovered a separate breach in 2018.
Some 340 million files were uploaded a publicly accessible server.
The records include home addresses, phone numbers, email addresses and other sensitive information for named individuals.
They also record their hobbies, interests and habits, as well as the number, age, and gender of any children they have.
The leak is thought to be one of the biggest recent security breaches of its kind.
‘It seems like this is a database with pretty much every US citizen in it,’ said security researcher Vinny Troi who uncovered the breach.
The data has since been protected and the FBI informed, but there is currently no way to check whether your name was on the list.
The database he unearthed contained two terabytes of information, so much data it would take around five full days and nights to download on a 38Mb broadband connection.
As well as the massive scope of the leak, the database went into astonishing detail about the lives of the people it covered.
Each record potentially included more than 400 different factors, ranging from religious beliefs and what size clothing they wear, to whether they have pets or an interest in scuba diving.
Martynas Simanauskas, Oxydata director of business to business sales, emphasized that Oxydata has not fallen victim to a breach, and denies it labels data with an ‘OXY’ tag, according to Wired.
‘While the part of the database Vinny found presumably might be acquired from us or one of our customers, it has definitely not been leaked from our database,’ Simanauskas told WIRED.
‘We sign the agreements with all our clients that strictly forbids the data reselling and obliges them to ensure that all of the appropriate security measures are taken.
‘However, there is no way for us to enforce all of our clients to follow the best data protection practices and guidelines.’
‘Judging from the data structure it seems clear that the database found by Vinny is a work product of a third party, with entries generated from multiple different sources.’
Troia said he reported the leak to the FBI and within a few hours of sharing the details, the server was gone and the data was taken offline.
Wired noted that the FBI decline to comment.