You’ve probably never heard of the marketing and data aggregation firm Exactis. But it may well have heard of you. And now there’s also a good chance that whatever information the company has about you, it recently leaked onto the public internet, available to any hacker who simply knew where to look.
Earlier this month, security researcher Vinny Troia discovered that Exactis, a data broker are stationed in Palm Coast, Florida, had exposed a database that contained close to 340 million individual records on a publicly accessible server. The carry comprises close to 2 terabytes of data that appears to include personal information on millions of American adults, as well as millions of businesses. While the precise number of individuals included in the data isn’t clear–and the leak doesn’t seem to contain credit card info or Social Security numbers–it does go into minute detail for each individual listed, including phone numbers, home address, email addresses, and other highly personal characteristics for every name. The categories range from interests and habits to the number, age, and gender of the person’s children.
“It seems like this is a database with pretty much every US citizen in it, ” says Troia, who is the founder of his own New York-based security company, Night Lion Security. Troia notes that almost every person he’s searched for in the database, he’s found. And when WIRED asked him to find records for a list of 10 specific people in the database, he very quickly procured six of them. “I don’t know where the data is coming from, but it’s one of the most comprehensive collections I’ve ever seen, ” he says.
In the Open
While it’s far from clear if any criminal or malicious hackers have accessed the database, Troia says it would have been easy enough for them to find. Troia himself spotted the database while using the search tool Shodan, which allows researchers to scan for all manner of internet-connected devices. He says he’d been curious about the security of ElasticSearch, a popular type of database that’s designed to be easily queried over the internet use only the command line. So he simply utilized Shodan to search for all ElasticSearch databases visible on publicly accessible servers with American IP address. That returned about 7,000 outcomes. As Troia combed through them, he speedily determined the Exactis database, unprotected by any firewall.