Marketing Firm Exactis Leaked a Personal Info Database With 340 Million Records (wired.com) 77
You've probably never heard of the marketing and data aggregation firm Exactis. But it may well have heard of you. And now there's also a good chance that whatever information the company has about you, it recently leaked onto the public internet, available to any hacker who simply knew where to look. From a report: Earlier this month, security researcher Vinny Troia discovered that Exactis, a data broker based in Palm Coast, Florida, had exposed a database that contained close to 340 million individual records on a publicly accessible server. The haul comprises close to 2 terabytes of data that appears to include personal information on hundreds of millions of American adults, as well as millions of businesses. While the precise number of individuals included in the data isn't clear -- and the leak doesn't seem to contain credit card information or Social Security numbers -- it does go into minute detail for each individual listed, including phone numbers, home addresses, email addresses, and other highly personal characteristics for every name. The categories range from interests and habits to the number, age, and gender of the person's children.
"It seems like this is a database with pretty much every US citizen in it," says Troia, who is the founder of his own New York-based security company, Night Lion Security. Troia notes that almost every person he's searched for in the database, he's found. And when WIRED asked him to find records for a list of 10 specific people in the database, he very quickly found six of them. "I don't know where the data is coming from, but it's one of the most comprehensive collections I've ever seen," he says.
"It seems like this is a database with pretty much every US citizen in it," says Troia, who is the founder of his own New York-based security company, Night Lion Security. Troia notes that almost every person he's searched for in the database, he's found. And when WIRED asked him to find records for a list of 10 specific people in the database, he very quickly found six of them. "I don't know where the data is coming from, but it's one of the most comprehensive collections I've ever seen," he says.
someone have a link to the torrent? (Score:4, Interesting)
anyone?
Re: (Score:2)
Seriously, if anyone has the data, I want to have it too...
Re: (Score:2)
Re: (Score:2)
you know what's interesting,
You replied wanting to know, and you're a 5 digit uid so you might be 1998 or 1999
the guy above you is 6 digit's and lower than mine 1999 or 2000
and me early 2000 ( I had one that was in the 147K range but I forgot the password )
so what's interesting is that we are all similar group and we all thought similar.
I will now want to ponder why
I've done the same reply to the guy above
Re: (Score:3)
Re: (Score:2)
I'm still waiting for the interesting part.
"The reconstruction machine wraps thermal bandages around Leeloo's body, yet she ends up with an extra bandage between her crotch & neck. "
You're welcome.
Re: (Score:2)
Mi two.
Re: (Score:2)
you know what's interesting,
You replied wanting to know, and you're 6 digit's and lower than mine 1999 or 2000
the guy below you is a 5 digit uid so he might be 1998 or 1999
and me early 2000 ( I had one that was in the 147K range but I forgot the password )
so what's interesting is that we are all similar group and we all thought similar.
I will now want to ponder why.
did the same type of reply to the guy below
from thier web site (Score:4, Informative)
Re:from thier web site (Score:4, Insightful)
Let's add them to the prison database, with a field called: InForLife.
Re:Let's add them to the prison database (Score:2)
Bingo!
Screw the "corporate veil". Until someone in the management structure of the companies that collect all this data--and then allow it to leak onto public networks--goes to jail for most of their remaining years, they're simply not going to take data security seriously enough.
Re:Let's add them to the prison database (Score:4, Funny)
Re:from thier web site (Score:5, Funny)
That's it, I'm calling it (Score:2, Interesting)
At this point, there have been so many "leaks" (whatever the fuck that means) of PI that we have reached a point where there simply is NO remaining PI for anyone older than 18 months old. It's all out there now. Everything about you is in the wild, including things you didn't know about yourself. Everyone now lives in a fishbowl. Get used to it.
I have a modest proposal. To even the playing field (and to make hoarding PI no longer profitable) there ought to be a national database of all our PI that has an op
Re: (Score:2)
Nope, they don't have mine because I'm not a consumer whore like y'all.
Must not live in the USA then. Look up Equifax's 2017 leak of 143+ million records on US dwellers if you need your memory refreshed about systematic collection that is dispassionate about YOU taking any consumer-ish steps. The big financial system is set up so they go straight to all your financial entities, which then happily leak YOUR data in the form of unhideable credit reports available to anyone with the right background. I believe this is supported by governmental edicts (think, public court records
Re: (Score:2)
How about a federal do not track database like the federal do not call database. Oh wait, they get around that by either saying you agreed to it when you did (pick something) or they are just simply criminals to begin with.
Re: (Score:2)
Re: (Score:2)
The you agreed argument is often times not an agreement as much as a condition in fine print hidden within a bunch of incomprehensible legalese. Whether it's your cell provider, the finance company that gave you your car loan, or the power company, it's rarely spelled out in plane language and your are not always given an option to to opt out.
After I purchased a new car I started getting calls for insurance and an extended warranty... Had I been given an option to opt out of them sharing my info with third
Re: (Score:3)
Re: (Score:1)
Funny thing. I bought a new car in December 2016 from a Dodge dealer in Florida. And I was given an option to opt out of that stuff, and did.
Yet, I still got the same junk calls and mail. Dug a little into it and found out that it wasn't Dodge that sold my info, it was the fucking DMV. That's right, the fucking state tax collector sold my info.
Re: (Score:2)
Re: (Score:2)
The Führer would be so proud of you!
Re: (Score:2)
A lot of that information goes out of date quickly. Home addresses, phone numbers, email addresses, and credit card numbers all change. People's interests change. People have children, and their children grow up. Personal information collected today will be much less useful to advertisers and hackers ten years from now.
We need to stop the collection and leaking of personal information. In time privacy will reestablish itself.
about the company (Score:2)
Re: (Score:1)
The data aggregation sector can go to hell and die in a fire.
This is what the GDPR was crafted for... (Score:2, Interesting)
These are the companies that the GDPR was meant to go after. Companies nobody knows what they do, slurp tons of data, get hacked, and cause all kinds of trouble. If they have any Europeans on their rolls, people should send them the GDPR Letter From Hell [linkedin.com].
It would be nice if we saw similar protection laws here in the US.
Re: (Score:2)
Go *after*? This is one of the most proactive data disclosures I've seen from any organization.
Re: (Score:1)
Proactive? They didn't disclose it, a security researcher did. "Exactis did not respond to multiple calls and emails from WIRED asking for comment on its data leak."
That's Free Enterprise, Baby! (Score:1)
Government regulation is for CHUMPS! Boo yah!
Serial stalker (Score:3)
I also wonder with all of these giant data brokers out there collecting this much data on everyone why is it so many companies screw the pooch when trying to collect debts. For example couple years back I had a case where a debt collector was trying to collect a student loan debt from me that was older than I am and the only match was on the first name.
Re: (Score:2)
Perhaps you haven't made the right campaign contributions. Also you have not laid down the proper legal boiler plate by establishing a legal personhood known as a corporation.
Re: (Score:3)
If I collected that much data on a just a handful of random people I would be called a serial stalker and brought up on charges.
No, you wouldn't.
In stalking, the crime is about contacting the victim repeatedly after they've instructed you to stop. It is about unwanted contact, not about the collecting of data. If a stalker never made any contact, it would never become illegal.
Generally when you tell people working with the sort of data in the story to stop contacting you, they do; the next time the company contacts you it is a different person calling.
A key part of the stalking laws is that the victim would reasonably be afraid for
Put a financial cost to this. (Score:2)
When a company cannot secure the PI data it collects, then it should pay a fine for each person's data that it exposed.
Call the fine $120, which should be the low ball of credit monitoring for a year. (https://www.creditcards.com/credit-card-news/pros-cons-credit-monitoring-services-1282.php)
This amount should be payable to each person to do with as they wished. (I have multiple credit monitoring plans being ran on me already this year. I'd rather have the cash.)
Re: (Score:2)
Just ban the collection, consolidation, and exchanging of such information. It doesn't serve the public good. Businesses have operate just fine in the past without this information.
The law can be simple. Unless I have done business with you, you don't get to keep records on me. If you wish to exchange or share records on me, you must get my explicit permission. Some of the information sold is from public records, but what is key here is that it also includes additional data not in public records. It's how m
Re: (Score:1)
This would prevent large companies with something to lose from doing it, but would do nothing for companies where it is their only gig.
Run the company, make money, and if something leaks, bankrupt the company and be done.
I guess it kills the collect data and get purchased out business model.
Re: (Score:1)
Phoenix laws soon put a stop to that.
Your country DOES have Phoenix laws, doesn't it?
Re: (Score:2)
Even a very small fine could make a big difference. Maybe $1 for less sensitive data like email addresses and phone numbers, $10 for more sensitive things like credit card numbers and social security numbers. But this would be the minimum statutory fine, independent of any damages caused. If someone can show they were hurt by the leak, they can still sue for compensation.
The main effect of this would likely be to make companies a lot more selective about what data they collect. Say you have a database o
Leakis Exactis? (Score:1)
Marketing Firm Exactis Leaked ... (Score:2)
Take 'em to court. Presumably they'll lose with a fine and jail-time. The company pays the fine, and as the jail time? That's for the CEO.
He's the "brains" and "leader" of the operation? Let's treat him exactly that way.