Incidents

More than a billion personal records leaked. The biggest data breach in history

Data breaches have become routine, although each new reported incident seems to more seriously affect a larger number of users. Data protection specialists say that, most of the time, the compromised data ends up in the hands of marketing companies and even threat actors in dark web.

There are currently dozens of companies
dedicated to collecting huge amounts of data from social media profiles, online
forums or job networks; this is a security issue, as many of these companies do
not have the right information protection implementations, being prone to data
breaches.

Bob Diachenko, a data protection expert
primarily dedicated to the search and reporting of databases exposed on the
Internet, in collaboration with researcher Vinny Troia, revealed the discovery
of more than one billion records exposed in an Elasticsearch implementation. As
the researchers report, the exposed records come from two different data
collection companies (known as “data brokers”).

The first of these companies, People Data Labs,
based in California, has not been able to demonstrate that it has the express
consent of individuals for the commercial use of their information. In total, the
company exposed 622 million email addresses, about 50 million phone numbers and
profiles of people developed from the search for information on platforms such
as Facebook, LinkedIn, Twitter, among others. There are apparently no duplicate
elements, so each record is unique.

Data protection specialists know this type of collection as “data enrichment” and it consists of searching for a user’s personal information from a single data (such as full name, username on some online platform, workplace, etc.); data brokers then profile each user to offer them to marketing companies.

In total, the researchers found four data
indexes, three of which belonged to People Data Labs. These three indexes
covered details of more than one billion people, including email addresses and
other contact details.

On the other hand, the fourth index belongs to
OxyData.io, and appears to hold information collected only from LinkedIn. The
two companies have already contacted the researchers, claiming that none of the
databases were exposed by malicious users.

Carl Wearn, head of e-crime research at
security firm Mimecast, said: “These data are not only useful for digital
marketing companies, but cybercriminals also use these resources to deploy
phishing campaigns, credential
stuffing
, among other attack variants.”

The picture is certainly complex and data
brokers prefer not to make major changes to their practices to provide better
protections to users, so data protection specialists from the International Institute
of Cyber Security (IICS) legislators and authorities in each country consider
that limits are set, both on social media platforms and data collection
companies, to prevent these kinds of personal details from being exposed to the
reach of anyone.

To Top

Pin It on Pinterest

Share This