Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Privacy IT

Marketing Firm Exactis Leaked a Personal Info Database With 340 Million Records (wired.com) 77

You've probably never heard of the marketing and data aggregation firm Exactis. But it may well have heard of you. And now there's also a good chance that whatever information the company has about you, it recently leaked onto the public internet, available to any hacker who simply knew where to look. From a report: Earlier this month, security researcher Vinny Troia discovered that Exactis, a data broker based in Palm Coast, Florida, had exposed a database that contained close to 340 million individual records on a publicly accessible server. The haul comprises close to 2 terabytes of data that appears to include personal information on hundreds of millions of American adults, as well as millions of businesses. While the precise number of individuals included in the data isn't clear -- and the leak doesn't seem to contain credit card information or Social Security numbers -- it does go into minute detail for each individual listed, including phone numbers, home addresses, email addresses, and other highly personal characteristics for every name. The categories range from interests and habits to the number, age, and gender of the person's children.

"It seems like this is a database with pretty much every US citizen in it," says Troia, who is the founder of his own New York-based security company, Night Lion Security. Troia notes that almost every person he's searched for in the database, he's found. And when WIRED asked him to find records for a list of 10 specific people in the database, he very quickly found six of them. "I don't know where the data is coming from, but it's one of the most comprehensive collections I've ever seen," he says.

This discussion has been archived. No new comments can be posted.

Marketing Firm Exactis Leaked a Personal Info Database With 340 Million Records

Comments Filter:
  • by onepoint ( 301486 ) on Thursday June 28, 2018 @01:04PM (#56860602) Homepage Journal

    anyone?

    • by mi ( 197448 )

      Seriously, if anyone has the data, I want to have it too...

      • ZOMG MEE TOO.
        • you know what's interesting,
          You replied wanting to know, and you're a 5 digit uid so you might be 1998 or 1999
          the guy above you is 6 digit's and lower than mine 1999 or 2000
          and me early 2000 ( I had one that was in the 147K range but I forgot the password )
          so what's interesting is that we are all similar group and we all thought similar.
          I will now want to ponder why
          I've done the same reply to the guy above

          • I'm still waiting for the interesting part.
            • I'm still waiting for the interesting part.

              "The reconstruction machine wraps thermal bandages around Leeloo's body, yet she ends up with an extra bandage between her crotch & neck. "

              You're welcome.

        • Mi two.

      • you know what's interesting,
        You replied wanting to know, and you're 6 digit's and lower than mine 1999 or 2000
        the guy below you is a 5 digit uid so he might be 1998 or 1999
        and me early 2000 ( I had one that was in the 147K range but I forgot the password )
        so what's interesting is that we are all similar group and we all thought similar.
        I will now want to ponder why.
        did the same type of reply to the guy below

  • from thier web site (Score:4, Informative)

    by ole_timer ( 4293573 ) on Thursday June 28, 2018 @01:07PM (#56860630)
    Data is the fuel that powers Exactis. Warehousing over 3.5 billion consumer, business, and digital records, The Exactis Data Cloud provides knowledge and insight to hundreds of firms enabling them to achieve marketing success through the use of high quality data. The Exactis data cloud is one of the largest and most respected in the data marketing industry. It is constructed of hundreds of compiled and proprietary data sources, has over 400 different selects, and utilizes a triple verification process to guarantee accurate targeting. This includes demographic, geographic, firmographic, lifestyle, interests, CPG, automotive, and behavioral data.
  • At this point, there have been so many "leaks" (whatever the fuck that means) of PI that we have reached a point where there simply is NO remaining PI for anyone older than 18 months old. It's all out there now. Everything about you is in the wild, including things you didn't know about yourself. Everyone now lives in a fishbowl. Get used to it.

    I have a modest proposal. To even the playing field (and to make hoarding PI no longer profitable) there ought to be a national database of all our PI that has an op

    • How about a federal do not track database like the federal do not call database. Oh wait, they get around that by either saying you agreed to it when you did (pick something) or they are just simply criminals to begin with.

      • you agreed to let them collect...in any case businesses tend to have more rights than consumers...at least in the US
        • The you agreed argument is often times not an agreement as much as a condition in fine print hidden within a bunch of incomprehensible legalese. Whether it's your cell provider, the finance company that gave you your car loan, or the power company, it's rarely spelled out in plane language and your are not always given an option to to opt out.

          After I purchased a new car I started getting calls for insurance and an extended warranty... Had I been given an option to opt out of them sharing my info with third

          • that's the point - we can only opt out on certain transactions - businesses have rights over consumers in US...congress needs to act...EU has it flipped - consumers come first
          • by Anonymous Coward

            Funny thing. I bought a new car in December 2016 from a Dodge dealer in Florida. And I was given an option to opt out of that stuff, and did.

            Yet, I still got the same junk calls and mail. Dug a little into it and found out that it wasn't Dodge that sold my info, it was the fucking DMV. That's right, the fucking state tax collector sold my info.

    • congress would have to act and the lobby by businesses would be dead set against...
    • by Hylandr ( 813770 )

      The Führer would be so proud of you!

    • A lot of that information goes out of date quickly. Home addresses, phone numbers, email addresses, and credit card numbers all change. People's interests change. People have children, and their children grow up. Personal information collected today will be much less useful to advertisers and hackers ten years from now.

      We need to stop the collection and leaking of personal information. In time privacy will reestablish itself.

  • Greg Williams COO Greg brings over 20 years of Internet marketing experience as both an Internet entrepreneur and operational leader in the data and digital marketplace. During his tenure, he has developed a multitude of successful business relationships that continue to thrive. Greg oversees the day to day operations of Exactis and plays an integral role in our platform and data development projects including but not limited to data123.com, autoappend.com, and dataverification.com. but nothing about
  • by Anonymous Coward

    These are the companies that the GDPR was meant to go after. Companies nobody knows what they do, slurp tons of data, get hacked, and cause all kinds of trouble. If they have any Europeans on their rolls, people should send them the GDPR Letter From Hell [linkedin.com].

    It would be nice if we saw similar protection laws here in the US.

    • Go *after*? This is one of the most proactive data disclosures I've seen from any organization.

      • by Anonymous Coward

        Proactive? They didn't disclose it, a security researcher did. "Exactis did not respond to multiple calls and emails from WIRED asking for comment on its data leak."

  • Government regulation is for CHUMPS! Boo yah!

  • by Bob the Super Hamste ( 1152367 ) on Thursday June 28, 2018 @01:51PM (#56860902) Homepage
    If I collected that much data on a just a handful of random people I would be called a serial stalker and brought up on charges. Why doesn't the same thing happen to these companies?

    I also wonder with all of these giant data brokers out there collecting this much data on everyone why is it so many companies screw the pooch when trying to collect debts. For example couple years back I had a case where a debt collector was trying to collect a student loan debt from me that was older than I am and the only match was on the first name.
    • Perhaps you haven't made the right campaign contributions. Also you have not laid down the proper legal boiler plate by establishing a legal personhood known as a corporation.

    • If I collected that much data on a just a handful of random people I would be called a serial stalker and brought up on charges.

      No, you wouldn't.

      In stalking, the crime is about contacting the victim repeatedly after they've instructed you to stop. It is about unwanted contact, not about the collecting of data. If a stalker never made any contact, it would never become illegal.

      Generally when you tell people working with the sort of data in the story to stop contacting you, they do; the next time the company contacts you it is a different person calling.

      A key part of the stalking laws is that the victim would reasonably be afraid for

  • When a company cannot secure the PI data it collects, then it should pay a fine for each person's data that it exposed.

    Call the fine $120, which should be the low ball of credit monitoring for a year. (https://www.creditcards.com/credit-card-news/pros-cons-credit-monitoring-services-1282.php)

    This amount should be payable to each person to do with as they wished. (I have multiple credit monitoring plans being ran on me already this year. I'd rather have the cash.)

    • Just ban the collection, consolidation, and exchanging of such information. It doesn't serve the public good. Businesses have operate just fine in the past without this information.

      The law can be simple. Unless I have done business with you, you don't get to keep records on me. If you wish to exchange or share records on me, you must get my explicit permission. Some of the information sold is from public records, but what is key here is that it also includes additional data not in public records. It's how m

    • by AvitarX ( 172628 )

      This would prevent large companies with something to lose from doing it, but would do nothing for companies where it is their only gig.

      Run the company, make money, and if something leaks, bankrupt the company and be done.

      I guess it kills the collect data and get purchased out business model.

    • Even a very small fine could make a big difference. Maybe $1 for less sensitive data like email addresses and phone numbers, $10 for more sensitive things like credit card numbers and social security numbers. But this would be the minimum statutory fine, independent of any damages caused. If someone can show they were hurt by the leak, they can still sue for compensation.

      The main effect of this would likely be to make companies a lot more selective about what data they collect. Say you have a database o

  • This is what I though, after reading: "Exactis leaked..."
  • OK, so corporations want to be people? Fine.

    Take 'em to court. Presumably they'll lose with a fine and jail-time. The company pays the fine, and as the jail time? That's for the CEO.

    He's the "brains" and "leader" of the operation? Let's treat him exactly that way.

You know you've landed gear-up when it takes full power to taxi.

Working...