Data-broker leak exposes 340 million personal records

Phone numbers, home addresses and religious beliefs were publicly accessible.

Exactis might be fueled by data, but its recent blunder is a warning that any database without firewall protection is susceptible to leaks. The data aggregation company recently exposed over 300 million personal records -- statistically speaking, that's enough to cover the entire US population.

The leak was first discovered by Vinny Troia, a security researcher and founder of Night Lion Security. On a routine investigation using Shodan -- a search engine that allows users to identify internet-connected devices -- he looked up databases on open servers, and eventually stumbled upon the Exactis database, which, rather curiously, lacked any kind of firewall.

He found a 2TB data bank that stored nearly 340 million individual records, completely exposed to anyone acquainted well enough with cyber security.

While credit card or social security numbers weren't put in danger, sensitive data including personal interests, home and email addresses, religious beliefs, smoking status, phone numbers, and even the number, age and sex of a family's children -- were all visible. Troia told Wired that while most data was authentic, not every piece of it was up-to-date or verifiable. Unlike Equifax, or the colossal Yahoo breach, there's currently no evidence to suggest hackers obtained any of Exactis' data and used it with malicious intent.

Is there any cause for concern, then, if financial details weren't accessible? Mark Rotenberg says "certainly". Speaking with Wired, the president of the Electronic Privacy Information Center said there's still a chance fraudsters could have profiled and impersonated users. He also mentioned that most data gathered by information brokers (like Exactis) is actually retrieved from private outlets, including online subscriptions.

Exactis appears reluctant to offer any comments regarding the leak, however, the company has apparently shielded the data in question -- so it's no longer available to the public. We've reached out via email for confirmation. The leak does prompt a couple of questions -- namely, why appropriate firewall protection wasn't included to begin with, and an explanation for why consumers weren't informed their data was being collected.