Exactis exposed 340 million personal records to the internet

Why it matters: Data aggregation firm Exactis exposed the records of more than 230 million individuals in an unprotected database to the internet. Considering the current population of the US is said to be around 325 million, chances are high that your information was on its servers.

Exactis is not a company that I had even heard about until today, but apparently, they have probably heard of me. The firm collects publicly available data on individuals and businesses for marketing purposes. According to its website, it sells these profiles to third-party marketers and resellers.

"In today's highly competitive global business environment, data is your single most powerful asset for achieving business growth," it says on its website right before mentioning that it has access to the records of 218 million individuals in 110 million households. It also boasts about having 88 million emails and 112 million phone numbers. However, it would appear that it has even more information than what its website claims.

According to Wired, a security researcher stumbled upon an Exactis database that was wide open to the internet. Night Lion Security researcher Vinny Troia said the DB contained over 340 million records. About 230 million are for individuals, and 110 million are businesses. This is significantly more than those exposed during the Equifax breach last year.

"Each record contains entries that go far beyond contact information and public records to include more than 400 variables on a vast range of specific characteristics."

What's more, the records contain more than just email addresses and phone numbers.

"I don't know where the data is coming from, but it's one of the most comprehensive collections I've ever seen," said Troia.

While the files did not contain any financial information or social security numbers, they did hold wildly personal information such as interests, habits, and the number, age, and gender of any children of the individual.

"Aside from the sheer breadth of the Exactis leak, it may be even more remarkable for its depth: Each record contains entries that go far beyond contact information and public records to include more than 400 variables on a vast range of specific characteristics: whether the person smokes, their religion, whether they have dogs or cats, and interests as varied as scuba diving and plus-size apparel. Wired independently analyzed a sample of the data Troia shared and confirmed its authenticity, though in some cases the information is outdated or inaccurate."

Troia notified both Exactis and the FBI about the exposed data last week. Exactis has already tucked the data away, but there is no way to know how long it had been accessible to anyone looking. He found the database by searching for ElasticSearch servers using the search tool Shodan. Out of 7,000 returned servers, Exactis stuck out since it was completely unprotected. Troia believes it is very likely that others already have the data.

"I'm not the first person to think of scraping ElasticSearch servers," he said. "I'd be surprised if someone else didn't already have this."

Even though the information contained does not pose a significant risk for financial fraud or identity theft, it still provides opportunities for social engineering. While a lot of the data is available publicly, some is not. Magazine subscriptions, credit reports, and credit card transaction data sold by banks can provide an aggregator like Exactis enough information to make certain assumptions that are not of public record, like whether or not a person smokes or skydives.

Executive Director Marc Rotenberg of the nonprofit Electronic Privacy Information Center's says, "The likelihood of financial fraud is not that great, but the possibility of impersonation or profiling is certainly there."

Wired has reached out to Exactis for comment on the situation a number of times, but has so far been ignored.