Profiles of 1.2 billion individuals were exposed on a single server that contained everything from social media accounts to phone numbers and email addresses.
The data collection contained millions of social media profiles, nearly 50 million phone numbers and 622 million email addresses – making it one of the largest single source leaks in history.
The leak was discovered by a dark web researcher who said the server shared enough information so that hackers could easily impersonate victims online.
Vinny Troia made the discovery in October, while looking for exhibits with fellow security researcher Bob Diachenko at web scanning services BinaryEdge and Shodan, as first reported by Wired.
"This is the first time I've seen all these social media profiles collected and merged with user profile information in a single database at this scale," Troia told Wired.
From an attacker's perspective, whether the goal is to impersonate people or break into their accounts, you have associated account names, phone numbers, and URLs.
Approximately 1.2 billion profiles containing everything from social media accounts to phone numbers and email addresses were exposed on a single server. The data collection contained nearly 50 million phone numbers and 622 million email addresses, calling it "one of the largest data leaks from a single home organization in history."
He and Diachenko found four billion accounts, which belonged to 1.2 billion individuals, spanning more than four terabytes of data, but couldn't locate the culprit behind the leak – the server could only be traced back to Google Cloud Services.
There was also no way to know if the data was downloaded or found by someone else before its discovery, Troia noted in a blog post.
& # 39; Most data is marked as & # 39; PDL & # 39 ;, indicating that it originated from People Data Labs [PDL] & # 39 ;, he wrote.
"However, as far as we know, the server that leaked the data is not associated with the PDL."
As soon as you open the PDL website, the page highlights that the company has & # 39; s curriculum, contact, social and demographic data set for over 1.5 billion unique individuals.
"With just a few lines of code, you can start enriching tens to billions of records with over 150 data points."
According to Wired, this huge data set includes over one billion personal email addresses, over 420 million LinkedIn URLs, over one billion Facebook URLs and IDs, and over 400 million phone numbers, including over 200 million valid US mobile numbers. & # 39;
The data collection contained millions of Facebook and LinkedIn social media profiles, nearly 50 million phone numbers and 622 million email addresses – calling it one of the largest data leaks from a single home organization. in the story & # 39; & # 39 ;.
However, company co-founder Sean Thorne noted that his company does not have the server that hosted the exposed data.
"The owner of this server probably used one of our enrichment products, along with several other data enrichment or licensing services," said Thorne.
After a customer receives data from us or any other data provider, it is on their servers and security is their responsibility.
Although PDL seems to be the prime suspect, Troia, as far as he knows, does not believe the company is associated with the server.
However, he found that one of the datasets was labeled as & # 39; OXY & # 39; and all records located in the file had the same tag.
Troia suggests that this information may be linked to data broker Oxydata, which reportedly has four terabytes of data that contain 380 million consumer and employee profiles across 85 industries and 195 countries around the world.
The researcher said he reported the leak to the FBI and within hours of sharing the details, the server was gone and the data was taken offline.
VINNY TROIA IS A DATA INFRINGEMENT DETECTIVE: DISCOVERED A SEPARATE INFECTION IN 2018
Security researcher Vinny Troia discovered a separate violation in 2018.
About 340 million files were uploaded to a publicly accessible server.
Records include home addresses, telephone numbers, email addresses, and other confidential information of named individuals.
They also record their hobbies, interests and habits, as well as the number, age and gender of any children they have.
The leak is thought to be one of the biggest recent security breaches of its kind.
"It looks like this is a database of just about every American citizen," said security researcher Vinny Troi, who discovered the breach.
The data has been protected and the FBI has been informed, but there is currently no way to verify that your name was on the list.
The database he discovered contained two terabytes of information, so much data that it would take about five full days and nights to download over a 38Mb broadband connection.
In addition to the massive scope of the leak, the database went into surprising detail about the lives of the people covered.
Each record potentially included over 400 different factors, varying in religious beliefs and what size clothing they wear, whether they have pets or are interested in diving.
Martynas Simanauskas, Oxydata's director of inter-company business, emphasized that Oxydata was not the victim of a violation and denies labeling the data with an “OXY” tag, according to Wired.
"Although the part of the database found by Vinny may be purchased by us or one of our customers, it was definitely not disclosed," Simanauskas told WIRED.
& # 39; We have entered into agreements with all our customers that strictly prohibit data resale and oblige them to ensure that all appropriate security measures are taken.
"However, there is no way we can force all our customers to follow best practices and data protection guidelines."
"Judging by the data structure, it seems clear that the database found by Vinny is a third-party work product, with entries generated from many different sources."
Troia said he reported the leak to the FBI, and within hours of sharing the details, the server was gone and the data was taken offline.
Wired noted that the FBI declined to comment.