Marketing Firm Data Leak Leaves 300 Million Americans' Information Exposed

The records of hundreds of millions of Americans have been exposed online due to a data breach in a Florida-based marketing company.

On Wednesday, renowned security researcher and keynote speaker Vinny Troia revealed that he discovered a database containing around 340 million personal records of people available online. According to Troia, the database is owned by the marketing firm Exactis based in Florida.

Exactis is a firm whose specialization involves helping businesses reach potential clients through phone numbers and email or postal addresses. For some unknown reason, the confidential records appear to have been left available online, making it accessible to basically everyone on the Internet.

Troia, who’s also the founder of the New York-based security company Night Lion Security, said that he has already reported his discovery to the FBI and Exactis earlier this week. Exactis has since then protected the data, making it unclear now just how long it has sat exposed online.

In an interview with Wired, Troia mentioned that the compromised records are from nearly every United States citizen. Approximately, about 230 million records are of U.S. adults while the remaining 110 million are of U.S. business contacts.

Aside from phone numbers and addresses, the database also holds the records about 400 characteristics exhibited by a person like vices, religion, pet ownership, gender, number of kids, age, and many others.

“I looked up a bunch of my friends and the data was all pretty accurate,” Troia added. “This is more information that other people can use to create scams or do fraudulent activities.”

No financial information or Social Security numbers were reportedly exposed. However, cybercriminals could still use the information and crosscheck it with previous data breaches to create a complete profile of anyone or use them to execute targeted attacks.

Exactis has not issued any statement regarding the matter, and it is still unclear whether hackers found the information. The latter, according to Troia, is not really impossible since the marketing firm was indexed online.

“The server was kind of wide open. If anybody was looking for it, they could’ve found it and grabbed the data,” he said.

Do you agree that companies who keep the personal information of millions of individuals should be heavily sanctioned in case of massive data breaches like this?