Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Privacy Security The Internet Technology

1.2 Billion Records Found Exposed Online in a Single Server (wired.com) 17

Posted by msmash from the security-woes dept.
JustAnotherOldGuy writes: For well over a decade, identity thieves, phishers, and other online scammers have created a black market of stolen and aggregated consumer data that they used to break into people's accounts, steal their money, or impersonate them. In October, dark web researcher Vinny Troia found one such trove sitting exposed and easily accessible on an unsecured server, comprising 4 terabytes of personal information -- about 1.2 billion records in all. While the collection is impressive for its sheer volume, the data doesn't include sensitive information like passwords, credit card numbers, or Social Security numbers. It does, though, contain profiles of hundreds of millions of people that include home and cell phone numbers, associated social media profiles like Facebook, Twitter, LinkedIn, and Github, work histories seemingly scraped from LinkedIn, almost 50 million unique phone numbers, and 622 million unique email addresses. "It's bad that someone had this whole thing wide open," Troia says. "This is the first time I've seen all these social media profiles collected and merged with user profile information into a single database on this scale. From the perspective of an attacker, if the goal is to impersonate people or hijack their accounts, you have names, phone numbers, and associated account URLs. That's a lot of information in one place to get you started."
This discussion has been archived. No new comments can be posted.

1.2 Billion Records Found Exposed Online in a Single Server More

1.2 Billion Records Found Exposed Online in a Single Server

Comments Filter:

  • The right thing do to would have been to delete the database. Or, if that were not possible, to corrupt it beyond recovery. Like

    dd if=/dev/zero of=/path/to/database-file

    • The right thing do to would have been to delete the database.

      Sure. Because it is trivial to just delete a file on someone else's server?

      dd if=/dev/zero of=/path/to/database-file

      You need command line root access to do that. You can't run dd from a browser.

      • > You can't run dd from a browser.

        Unless that browser is IE 6. I'm pretty sure IE6 has enough holes that you can format the drive. :)

    • Re:did he do everyone a favor? (Score:4, Informative)

      by smooth wombat ( 796938 ) on Friday November 22, 2019 @05:51PM (#59444276) Journal
      The right thing do to would have been to delete the database.

      From the story:

      Troia reported the exposure to contacts at the Federal Bureau of Investigation. Within a few hours, he says, someone pulled the server and the exposed data offline. The FBI declined to comment for this story.

    • Re: (Score:2)

      by ron_ivi ( 607351 )

      That doesn't inform all the people who's information was leaked.

      Better to publish it openly so the victims are informed and can choose if they want to take any steps to further protect themselves.

  • That all sounds like public information to me. What's the problem again?

    • Re: (Score:2)

      by NuAngel ( 732572 )

      Well, as the post says, "From the perspective of an attacker, if the goal is to impersonate people or hijack their accounts, you have names, phone numbers, and associated account URLs. That's a lot of information in one place to get you started."

      Yeah, it probably is publicly available if you scrape enough different sites, but the act of scraping all of them and then organizing it all is relatively monumental - so whoever had this DB already put a lot of work in to it. Even if their aims and goals were posit

    • That all sounds like public information to me.

      What's the problem again?

      The problem is that with America's idiotic financial system, this semi-public information is enough to steal someone's identity and establish credit in their name.

  • "Look guys! We've scrapped together a giant ass list of emails, phone numbers, and names! It's the end of the world!"

    With all due respect, if you were dense enough to put your phone and email address into these services that's your own damn fault. There are all sorts of lead gen services out there that do this type of data mining already.

    It's like an article complaining about how there is a published manuscript of every phone number and name within your local city. A leak of such EPIC proportions!

    The hacker

    • With all due respect, if you were dense enough to put your phone and email address into these services that's your own damn fault.

      I think the point is that this implies that it's connected to something bigger, that this is just a piece of something much larger in scope.

      • I think the point is that this is a waste of good ASCII characters, and it's not even news. Pay $5 dollars to any ad agency and you would get more information than this. The implied implication that it is linked to "SOMETHING BIGGER" is a waste of uppercase ASCII characters.

        Save the planet, stop wasting ASCII!
  • That sounds a lot like an open Dossier Database just left in the wild minus intricate details such as credentials, medical records, and Financial information.

  • It's not about identity theft at all. (Score:5, Informative)

    by mrwireless ( 1056688 ) on Friday November 22, 2019 @06:09PM (#59444322)

    "if the goal is to impersonate people or hijack their accounts"

    That's not the goal at all. This dataset was bought from a databroker called People Data Labs.
    https://www.peopledatalabs.com... [peopledatalabs.com]

    They sell it to lots of companies, and this one didn't secure their copy very well.

    Databases like this are used for profiling. For advertising, yes, but also for things like Cambridge Analytica, government mass surveillance, mass medical analysis, etc. All of these things work by having a solid base to work with, and on top of that you build the actually valuable derived and inferred data. E.g. build your own judgemental scoring algorithm that is fed with user behavioural data.

    It's this scoring layer (which they will say is their data, not yours!) which will be used against your interests in some subtle way you're not even aware of. This stuff ends up under the hood of software that denies your job/loan/insurance/visum application.

    That's the beauty of it: people don't get angry about this stuff because their understanding of how the data economy works is still stuck in 2012. Most of them still think "profiling is just about showing me adds that fit my interests". So when they thy to imagine nefarious purposes, they uncreatively end up at the digital version of something they know: identity theft.

    But identity theft is only a small part of the issue we're facing. The real issues are discrimination and loss of autonomy, all hidden under a veneer of 'neutral math' (see "matchwashing"), Eventually, as more people become aware of what this is actually about we'll see something even more subtle and even more toxic: large scale chilling effects. E.g. https://www.socialcooling.com/ [socialcooling.com]

    • I was kind of curious so I went to the socialcooling site.

      I don't disagree with it but I found the end fascinating. If you agree you can help spread the word by clicking on the nicely provided Twitter, Facebook and LinkedIn links. Oh well I don't have any of those precisely because they contribute the described problem which was somewhat anticipated by a lot of folks even in the Usenet News days.

  • Don't forget, it's still out there somewhere.

  • I wonder if it is as big as the one facebook or google has?

Slashdot Top Deals

Friction is a drag.

Close