Exactis Breach Reveals Personal Data About 131 Million People
This is currently the ninth largest breach ever recorded by
US marketing firm Exactis has leaked almost two terabytes of personal data, amounting to 340 million records.
Around 131 million of those are thought to relate to individuals, leaving them open to fraud and online threats.
The breach is even larger than the massive Equifax breach, which attracted widespread media attention last year. It is currently the ninth largest breach ever recorded by Have I Been Pwned.
Exactis CEO Steve Hardigree claims that no damage was done, because its log files suggest no data was stolen.
Personal Data on a Public Server
Security researcher Vinny Troia found the Exactis database on a public-facing web server, via the Shodan search engine.
In this redacted example record posted by Troy Hunt, one person’s file contains more than 400 lines, including:
Number of children, with their gender and age
How many credit cards held, and what type
Value of home and mortgage.
Luckily, the data does not include credit card details or passwords.
How Did Exactis Get This Data?
Exactis isn’t a company that you sign up with directly. Instead, it pulls together data from other sites and services and aggregates the data they hold.
Many of the people in its database probably had no idea their details were held by Exactis in the first place.
According to LinkedIn,Exactis has just 9 employees, but its website boasts of holding 3.5 billion distinct records. There is some speculation that it may have harvested data from companies like GoDaddy.
Initial reports said that the file contains data on practically every American citizen, but many of the records relate to consumers in other countries, including the UK.
Were You Included in the Exactis Database?
The easiest way to check if your details were included is to search for your email address on Have I Been Pwned. Scroll down on the results page to find out which breaches, if any, you’ve been caught up in. Don’t forget to repeat the search for all of the email addresses you use.
After a data breach, the usual advice to consumers is to change passwords immediately. In this case, the majority of people who are included in this file probably have no idea what Exactis does, and probably have no password to change.
As such, there is very little you can do, apart from being extra-vigilant when it comes to phishing or spam.
The database is no longer publicly available, but if you’re an EU citizen, you can contact Exactis directly and ask to be removed from their database. Whether Exacties complies with your request is another matter.
According to its CEO, Exactis is already losing clients as a result of the negative media attention, and it’s hard to see how it can survive after making such a basic mistake.