About 1.2 billion profiles that contained everything, from social media accounts to phone numbers and email addresses, remained visible on a single server.
The data collection contains millions of social media profiles, nearly 50 million telephone numbers and 622 million e-mail addresses, making it one of the largest leaks from one source in history.
The vulnerability was discovered by a dark web researcher who said that the server shared enough information so that hackers could easily present themselves as the victims online.
Vinny Troia made the discovery in October while she was looking for exposures with fellow security researcher Bob Diachenko on the web scanning services BinaryEdge and Shodan, as first reported by Wired.
& # 39; This is the first time I have collected and merged all these social media profiles with user profile information in a single database on this scale & # 39 ;, Troia told Wired.
& # 39; From an attacker's perspective, if the goal is to emulate people or hijack their accounts, you have names, phone numbers, and associated account URL & # 39; s. & # 39;
About 1.2 billion profiles that contained everything, from social media accounts to phone numbers and email addresses, remained visible on a single server. The data collection contained nearly 50 million telephone numbers and 622 million e-mail addresses, calling it & # 39; one of the largest data breaches of one source organization in history & # 39;
He and Diachenko encountered four billion user accounts with more than four terabytes of data, but could not find the culprit behind the leak – the server could only be traced to Google Cloud Services.
There was also no way of knowing whether the data had been downloaded or found by someone else before his discovery, Troia noted in one blog post.
& # 39; The lion's share of data is marked as & # 39; PDL & # 39 ;, indicating that it comes from People Data Labs [PDL] & # 39 ;, he wrote.
& # 39; However, as far as we know, the server that leaked the data is not associated with PDL. & # 39;
As soon as you open the PDL website, the page emphasizes that the company & # 39; has a dataset with resume, contact, social and demographic information for more than 1.5 billion unique individuals. & # 39;
& # 39; With just a few lines of code, you can begin to enrich tens to billions of records with more than 150 data points. & # 39;
According to Wired, this huge dataset contains more than one billion personal email addresses, more than 420 million LinkedIn URLs, more than one billion Facebook URLs, and IDs # 39; s and more More than 400 million phone numbers, including more than 200 million valid US mobile phone numbers. & # 39;
The data collection contains millions of social media profiles, from Facebook and LinkedIn, nearly 50 million phone numbers and 622 million email addresses – making it & # 39; one of the largest data breaches of a single source organization in history & # 39; is.
However, the co-founder of the company, Sean Thorne, noted that his company is not the owner of the server hosting the exposed data.
& # 39; The owner of this server has probably used one of our enrichment products, along with a number of other data enrichment or licensing services, & # 39; said Thorne.
& # 39; As soon as a customer receives data from us or other data providers, the data is on their servers and security is their responsibility.
Although PDL appears to be a prime suspect, Troia does not believe that the company is connected to the server as far as he knows.
However, he found that one of the datasets was labeled & # 39; OXY & # 39; and each record in the file had the same tag.
Troia suggests that this information can be linked to the data broker Oxydata, which is said to contain four terabytes of data with 380 million consumer and employee profiles in 85 industries and 195 countries around the world.
The investigator said he had reported the leak to the FBI and within hours of sharing the details, the server disappeared and the data was taken offline.
VINNY TROIA IS A DATA INFRINGEMENT DETECTIVE: HE DISCOVER A INDIVIDUAL INFRINGEMENT IN 2018
Security investigator Vinny Troia discovered a separate breach in 2018.
About 340 million files were uploaded on a publicly accessible server.
The records include home addresses, telephone numbers, e-mail addresses, and other sensitive information for said individuals.
They also record their hobbies, interests and habits, as well as the number, age and gender of any children they have.
The leak is considered to be one of the largest recent security breaches of its kind.
& # 39; It appears that this is a database with almost every American citizen & # 39 ;, said security investigator Vinny Troi who discovered the breach.
The data has since been protected and the FBI informed, but there is currently no way to check if your name was on the list.
The database he found contained two terabytes of information, so much data that it would take about five full days and nights to download on a 38Mb broadband connection.
In addition to the huge size of the leak, the database was about amazing details about the lives of the people who leaked it.
Each record may have contained more than 400 different factors ranging from religious beliefs and the size of clothing they wear to whether they have pets or are interested in diving.
Martynas Simanauskas, Oxydata director of business-to-business sales, emphasized that Oxydata has not fallen victim to an infringement and denies that it is labeling data with an & # 39; OXY & # 39; tag, Wired said.
& # 39; Although the part of the database that Vinny has found may have been purchased from us or from one of our customers, it certainly did not leak out of our database & # 39 ;, Simanauskas told WIRED.
& # 39; We sign the agreements with all our customers who strictly prohibit the resale of data and require them to ensure that all appropriate security measures are taken.
& # 39; However, there is no way to force all our customers to follow best practices and data protection guidelines. & # 39;
& # 39; Based on the data structure, it seems clear that the database found by Vinny is a third-party work product, with data generated from multiple different sources. & # 39;
Troia said he had reported the leak to the FBI and within hours of sharing the details, the server disappeared and the data was taken offline.
Wired commented that the FBI refused to comment.
. [TagsToTranslate] Dailymail