A Florida marketing firm just exposed the details of millions of people

Gladys Abbott
July 1, 2018

Troia, the founder of Night Lion Security, further stated: "It seems like this is a database with pretty much every US citizen in it". The exposed records were identified by a NY security researcher earlier this month, who alerted the company and law enforcement, reports Wired.

Still recovering from Equifax data breach?

However, Troia said that other personal details may have been exposed. Wired reported that Exactis secured the databases after Troia revealed the problem, which should mean it can't be accessed by anyone else. While the exact number of individuals affected isn't known, the leak involved about 340 million records on a publicly available server.

While the database apparently does not include credit-card numbers or Social Security numbers, it does include phone numbers, email and postal addresses as well as more than 400 personal characteristics, such as whether a person is a smoker, if they own a dog or cat, their religion and a multitude of personal interests.

"There are so many fields", Troia says. "I searched celebrities, I searched people I know", he said. "It's very unusual to see".

Even though the said database did not contain social security numbers or financial information of citizens, the wealth of information it stored could allow any professional hacker to match identities with details exposed through previous leaks and carry out social engineering attacks or large-scale identity fraud.

The said database has now been reconfigured by Exactis so that it can not be accessed publicly but it is not known how long it was configured for public access before Troia discovered it.

Exactis immediately shut off access to the database after Troia notified the company.

Troia has stated that to locate the server an individual would have to know where to look.

More news: Oil Prices Rise on US Push to Shut Out Iran, Supply Disruptions

A Shodan search on June 28 for internet-connected systems that listen via port 9200 - as Elasticsearch instances do - turned up thousands of results. "But we want to make sure that they adopt best practices and they ensure that no data was actually exfiltrated or taken by hackers, and that they adapt certain policies to ensure that this kind of thing doesn't happen again". Other companies that track similar information include Epsilon, Acxiom, Palantir, Google, Amazon and Facebook, according to Market Watch.

"They [Exactis] were happy I told them", Troia says.

Exactis is yet to comment on the issue.

This reliance on data aggregator firms has ended up creating an online space where users continue to share more and more about their lives, and businesses, small and large, continue to hire firms that enable them to target these users.

In response to the news, attorneys filed the first class action lawsuit against Exactis over the alleged breach on Friday.

On its website, Exactis said it maintained 3.5 billion consumer, business and digital records, including "demographic, geographic, firmographic, lifestyle, interests, CPG, automotive, and behavioral data". Approximately, about 230 million records are of USA adults while the remaining 110 million are of US business contacts.

The sources for the data harvested by Exactis are unclear.

Exactis isn't the only firm to have left sensitive information in internet-exposed databases lacking encryption.

Other reports by LeisureTravelAid

Discuss This Article