Information security experts Bob Diachenko and Vinny Troia discovered open source on ElasticSearch server, available without authentication, where were stored 4 terabytes of data: information of 4 billion people, of which 1.2 billion were unique users.Researchers found on the server names, email addresses, phone numbers and profile information of LinkedIn, Twitter, Facebook and so on.
There was no confidential information, such as passwords and bank card numbers, on the server, but Troy notes that he had never seen a single database of that size before.
“What makes this data leak unique is that it contains data sets that appear to originate from 2 different data enrichment companies”, — write the experts.
Studying the discovered data, the experts came to the conclusion that the information belonged to People Data Labs and OxyData, which are data brokers. In fact, the database was a constantly updated data aggregated from various sources.
For example, an analysis of nearly three billion user records with a PDL index revealed information about about 1.2 billion unique people, as well as about 650 million unique email addresses. These figures not only correspond to the official statistics from the People Data Labs website, but also the researchers were able to confirm that the information on the unsecured server is almost identical to the data of the People Data Labs API.
However, talking to Wired reporters, representatives of People Data Labs emphasized that the problem server did not belong to their companies either, and they also did not suffer from hacks and leaks.
Researchers have not been able to establish who exactly owned 4 terabytes of data.
“People Data Labs and Oxydata are unlikely to be hacked, because it was much easier to simply acquire this data from companies legally. Most likely, one of the clients of the data brokers did not protect his server properly”, – consider Bob Diachenko and Vinny Troia.
According to experts, this indicates the serious security and confidentiality issues inherent in this business. After all, such gigantic bases can be a great starting point for attackers whose goal, for example, is to impersonate another person or steal someone else’s account. It is much easier to do this when you already have names, phone numbers, email addresses and URLs of the corresponding profiles on hand.
Due to the sheer amount of personal information included, combined with the complexities identifying the data owner, this has the potential raise questions on the effectiveness of our current privacy and breach notification laws.
User Review( votes)