If you live in the United States and you’ve ever given any personal information to any company for any reason, chances are anyone in the world has had access to those records. That’s what security researcher Vinny Troia discovered last week, and Wired reported on Wednesday.
A Florida-based company named Exactis that collects and sells consumer marketing data reportedly left a database containing 2 terabytes of data on nearly 218 million American consumers and 110 million business contacts exposed on a publicly accessible server, unprotected by any kind of firewall.
The sort-of good news is that the leaked data does not appear to include credit card information or Social Security numbers, but just about anything else any company knows about you was open for anyone to see and steal.
There is no evidence yet that any of the data has been used for any malicious purpose. Troia reported the breach to the company and the FBI last week and told Wired that the company has now protected the data so it is no longer available. How long the database was open to all and sundry is not known.
While the sheer size of the leak is nearly incredible, Wired’s Andy Greenberg pointed out the breathtaking depth of the trove:
Each record contains entries that go far beyond contact information and public records to include more than 400 variables on a vast range of specific characteristics: whether the person smokes, their religion, whether they have dogs or cats, and interests as varied as scuba diving and plus-size apparel. WIRED independently analyzed a sample of the data Troia shared and confirmed its authenticity, though in some cases the information is outdated or inaccurate.
Exactis has not commented on the leak nor has the FBI. The leak of nearly 340 million records is considerably larger than the 146 million records leaked in 2017 by credit rating service Equifax, but an order of magnitude smaller than the 3 billion records Yahoo said it leaked.