Corporate database leak exposes millions of contact details

They include over 100,000 military personnel.


A 52.2GB corporate database that has leaked online compromises the contact details over 33.7 million employees in the United States. The list includes government workers, most of whom are soldiers and other military personnel from the Department of Defense. According to ZDNet, the database came from business services firm Dun & Bradstreet, which sells it to marketers that send targeted email campaigns. Dun & Bradstreet denies suffering a security breach -- the company says the leaked information matches the type and format it delivers to customers. It could have come from any of its thousands of clients.

Troy Hunt, who runs breach notification website Have I Been Pwned, was the one who discovered the leak. After analyzing its contents, he found that they're composed of millions of people's names, their corresponding work email addresses and phone numbers, as well as their companies and job titles. Since it's a database sold to marketers, the leaked details all came from US-based companies and government agencies. Based on Hunt's analysis, here are the top ten entities in the list, along with the number of affected employees:

1. Department of Defense: 101,013
2. United States Postal Service: 88,153
3. AT&T: 6,7382
4. Wal-Mart: 55,421
5. CVS: 40,739
6. The Ohio State University: 38,705
7. Citigroup: 35,292
8. Wells Fargo Bank, National Association: 34,928
9. Kaiser Foundation Hospitals : 34,805
10. International Business Machines (IBM) Corporation: 33,412

While the database doesn't contain more sensitive information, such as credit card numbers or SSNs, Hunt says it's an "absolute goldmine for [targeted] phishing."

He told ZDNet:

"From this data, you can piece together organizational structures and tailor messaging to create an air of authenticity and that's something that's attractive to crooks and nation-state actors alike."

Hunt has already uploaded the contents of the database on Have I Been Pwned, so you can check if your details have been compromised anytime.