Data on 1.2 billion consumers exposed online

A massive trove of data with details of around 1.2 billion people has been found online on an unsecured server.

The 4-terabyte collection of personal information — including names, home and mobile phone numbers and associated account URLs — was discovered by dark web security researcher Vinny Troia in October.

The trove also includes details such as associated social media profiles such as Facebook, Twitter, LinkedIn and GitHub, and work histories that appear to have been scraped from LinkedIn profiles.

According to Troia, the information was discovered on a wide open Elasticsearch server, and contains around 4 billion user accounts owned by more than 1.2 billion people.

It appears to have been taken from two different data enrichment companies. Such companies offer a low-price method of enriching a user profile based on a single piece of information such as a name or email address with new data points covering topics such as finance and income, political and religious preferences, and even a person’s preferred social activities.

Troia said research suggests that most of the data appears to have been taken from People Data Labs. Meanwhile, the LinkedIn data appears to have been taken from OxyData.io, which provides an almost complete scrape of LinkedIn data.

Both companies have stated that the exposed server is not owned by them.

According to security expert and Microsoft Regional Director Troy Hunt, his own research suggests that it appears likely that the individual or group responsible for compiling the data paid for it and accessed it using the data enrichment company’s APIs, rather than stealing it in a data breach.

This is a violation of their terms of service, but once the information has left data enrichment companies’ hands, there is very little they can do to control how it is used.

CyberArk SVP for EMEA Rich Turner said while on the surface this breach is less critical due to the unknown age of the data and the absence of high-value information such as passwords, its sheer size still makes it a threat.

“Being able to access not only email addresses but phone numbers and social media profiles of hundreds of millions of people makes a phishing expedition or an attempt to otherwise find, profile and compromise high-value targets — individuals or organisations — that much easier,” he said.

“The vast amount of data in the repository contained enough intelligence and detail to launch a well-targeted campaign which would allow a motivated group or individuals to obtain access, credentials and other highly valued information.”

Image credit: ©stock.adobe.com/au/WhataWin