Slashdot Mirror

← Back to Stories (view on slashdot.org)

Marketing Firm Exactis Leaked a Personal Info Database With 340 Million Records (wired.com)

Posted by msmash on from the privacy-woes dept.

You've probably never heard of the marketing and data aggregation firm Exactis. But it may well have heard of you. And now there's also a good chance that whatever information the company has about you, it recently leaked onto the public internet, available to any hacker who simply knew where to look. From a report: Earlier this month, security researcher Vinny Troia discovered that Exactis, a data broker based in Palm Coast, Florida, had exposed a database that contained close to 340 million individual records on a publicly accessible server. The haul comprises close to 2 terabytes of data that appears to include personal information on hundreds of millions of American adults, as well as millions of businesses. While the precise number of individuals included in the data isn't clear -- and the leak doesn't seem to contain credit card information or Social Security numbers -- it does go into minute detail for each individual listed, including phone numbers, home addresses, email addresses, and other highly personal characteristics for every name. The categories range from interests and habits to the number, age, and gender of the person's children.

"It seems like this is a database with pretty much every US citizen in it," says Troia, who is the founder of his own New York-based security company, Night Lion Security. Troia notes that almost every person he's searched for in the database, he's found. And when WIRED asked him to find records for a list of 10 specific people in the database, he very quickly found six of them. "I don't know where the data is coming from, but it's one of the most comprehensive collections I've ever seen," he says.

77 comments

  1. someone have a link to the torrent? by onepoint · · Score: 3, Interesting

    anyone?

    --
    if you see me, smile and say hello.
    1. Re:someone have a link to the torrent? by Anonymous Coward · · Score: 0

      Pretty funny, but I'd download it just to find out what info these f*ckers had about me.

    2. Re:someone have a link to the torrent? by mi · · Score: 1

      Seriously, if anyone has the data, I want to have it too...

      --
      In Soviet Washington the swamp drains you.
    3. Re:someone have a link to the torrent? by starblazer · · Score: 1

      ZOMG MEE TOO.

    4. Re:someone have a link to the torrent? by onepoint · · Score: 1

      you know what's interesting,
      You replied wanting to know, and you're a 5 digit uid so you might be 1998 or 1999
      the guy above you is 6 digit's and lower than mine 1999 or 2000
      and me early 2000 ( I had one that was in the 147K range but I forgot the password )
      so what's interesting is that we are all similar group and we all thought similar.
      I will now want to ponder why
      I've done the same reply to the guy above

      --
      if you see me, smile and say hello.
    5. Re:someone have a link to the torrent? by onepoint · · Score: 1

      you know what's interesting,
      You replied wanting to know, and you're 6 digit's and lower than mine 1999 or 2000
      the guy below you is a 5 digit uid so he might be 1998 or 1999
      and me early 2000 ( I had one that was in the 147K range but I forgot the password )
      so what's interesting is that we are all similar group and we all thought similar.
      I will now want to ponder why.
      did the same type of reply to the guy below

      --
      if you see me, smile and say hello.
    6. Re:someone have a link to the torrent? by burningcpu · · Score: 2

      I'm still waiting for the interesting part.

    7. Re:someone have a link to the torrent? by sysrammer · · Score: 1

      Mi two.

      --
      His ignorance covered the whole earth like a blanket, and there was hardly a hole in it anywhere. - Mark Twain
    8. Re:someone have a link to the torrent? by sysrammer · · Score: 1

      I'm still waiting for the interesting part.

      "The reconstruction machine wraps thermal bandages around Leeloo's body, yet she ends up with an extra bandage between her crotch & neck. "

      You're welcome.

      --
      His ignorance covered the whole earth like a blanket, and there was hardly a hole in it anywhere. - Mark Twain
  2. from thier web site by ole_timer · · Score: 3, Informative

    Data is the fuel that powers Exactis. Warehousing over 3.5 billion consumer, business, and digital records, The Exactis Data Cloud provides knowledge and insight to hundreds of firms enabling them to achieve marketing success through the use of high quality data. The Exactis data cloud is one of the largest and most respected in the data marketing industry. It is constructed of hundreds of compiled and proprietary data sources, has over 400 different selects, and utilizes a triple verification process to guarantee accurate targeting. This includes demographic, geographic, firmographic, lifestyle, interests, CPG, automotive, and behavioral data.

    --
    nothing to see here - move along
    1. Re:from thier web site by postbigbang · · Score: 3, Insightful

      Let's add them to the prison database, with a field called: InForLife.

      --
      ---- Teach Peace. It's Cheaper Than War.
    2. Re:from thier web site by Anonymous Coward · · Score: 0

      wtf is a data cloud

    3. Re:from thier web site by Killall+-9+Bash · · Score: 4, Funny

      Heat energy from the sun causes data in the Data Ocean to evaporate. This data rises into the internets. At high altitude, the internets is very cold, causing the data to coalesce into data breaches, which then fall from the sky in a constant stream.

      --
      "Prediction: within 10 years, Windows will be a Linux distribution." Me, 7-6-2016
    4. Re: from thier web site by Anonymous Coward · · Score: 0

      I'm almost tempted to get a slashdot account just so I can mark this as funny.

  3. That's it, I'm calling it by theCat · · Score: 2, Interesting

    At this point, there have been so many "leaks" (whatever the fuck that means) of PI that we have reached a point where there simply is NO remaining PI for anyone older than 18 months old. It's all out there now. Everything about you is in the wild, including things you didn't know about yourself. Everyone now lives in a fishbowl. Get used to it.

    I have a modest proposal. To even the playing field (and to make hoarding PI no longer profitable) there ought to be a national database of all our PI that has an open API for anyone wants to access, at any time. Period. One and done. "Securing" PI would then be a form of theft, a felony. Anyone caught collecting and storing PI outside the public domain would be arrested for information crimes (espionage) and if convicted, thrown in prison.

    --
    =^..^= all your rodent are belong to us
    1. Re:That's it, I'm calling it by pr0fessor · · Score: 1

      How about a federal do not track database like the federal do not call database. Oh wait, they get around that by either saying you agreed to it when you did (pick something) or they are just simply criminals to begin with.

    2. Re:That's it, I'm calling it by ole_timer · · Score: 1

      you agreed to let them collect...in any case businesses tend to have more rights than consumers...at least in the US

      --
      nothing to see here - move along
    3. Re:That's it, I'm calling it by ole_timer · · Score: 1

      congress would have to act and the lobby by businesses would be dead set against...

      --
      nothing to see here - move along
    4. Re:That's it, I'm calling it by Hylandr · · Score: 1

      The Führer would be so proud of you!

      --
      ~ People that think they are better than anyone else for any reason are the cause of all the strife in the world.
    5. Re:That's it, I'm calling it by Anonymous Coward · · Score: 0

      If you actually believe that, you're a fool.

    6. Re:That's it, I'm calling it by Anonymous Coward · · Score: 0

      What needs to happen is to make collecting and distributing any info without explicit written consent an offense.

      But how would this be accomplished and enforced without being "statist?" They'll just self-regulate and turn themsleves in for prosecution? ROFL...

    7. Re:That's it, I'm calling it by pr0fessor · · Score: 1

      The you agreed argument is often times not an agreement as much as a condition in fine print hidden within a bunch of incomprehensible legalese. Whether it's your cell provider, the finance company that gave you your car loan, or the power company, it's rarely spelled out in plane language and your are not always given an option to to opt out.

      After I purchased a new car I started getting calls for insurance and an extended warranty... Had I been given an option to opt out of them sharing my info with third party marketers I would have.

       

    8. Re: That's it, I'm calling it by Anonymous Coward · · Score: 0

      Private shit got stolen, you idiot. Typical SJW with reading comprehension issues.

    9. Re:That's it, I'm calling it by ole_timer · · Score: 2

      that's the point - we can only opt out on certain transactions - businesses have rights over consumers in US...congress needs to act...EU has it flipped - consumers come first

      --
      nothing to see here - move along
    10. Re:That's it, I'm calling it by Anonymous Coward · · Score: 1

      Funny thing. I bought a new car in December 2016 from a Dodge dealer in Florida. And I was given an option to opt out of that stuff, and did.

      Yet, I still got the same junk calls and mail. Dug a little into it and found out that it wasn't Dodge that sold my info, it was the fucking DMV. That's right, the fucking state tax collector sold my info.

    11. Re:That's it, I'm calling it by vlueboy · · Score: 1

      Nope, they don't have mine because I'm not a consumer whore like y'all.

      Must not live in the USA then. Look up Equifax's 2017 leak of 143+ million records on US dwellers if you need your memory refreshed about systematic collection that is dispassionate about YOU taking any consumer-ish steps. The big financial system is set up so they go straight to all your financial entities, which then happily leak YOUR data in the form of unhideable credit reports available to anyone with the right background. I believe this is supported by governmental edicts (think, public court records and not so public loan and default information) in exchange for who knows what.

      When I saw the 340m number, I thought "wait, are they even in the US alone?" Lo and behold, as of tonight, http://worldpopulationreview.c... estimates 320 million US inhabitants. Either we have tons of foreigners inadvertently caught in the web (ouch, you poor Europeans in practice were too late with your GDPR) or the data is replete with dead weight (almost 10% being dead North Americans).

      I posit there is a healthy mixture of both, with a sprinkle of fake and inaccurate data in there... Credit reports from a decade ago were full of discrepancies between the big 3 credit reporting agencies wrt the accounts they were tracking, plus inaccurate addresses / Dates of birth / mixed data that belonged to a relative. I saw this same trend with my name under Spokeo et al as recently as 3 years ago, so I won't hold my breath that a greedy firm with more records than feasible US householders will actually have accurate data.

      Think "number padding". Just like Facebook's "1 billion active users!!!!!!111!!" claim fails to clarify what percentage was bots, fakes and well-meaning sockpuppet / alt accounts you guys all have for discreet stalking :)

    12. Re:That's it, I'm calling it by SoftwareArtist · · Score: 1

      A lot of that information goes out of date quickly. Home addresses, phone numbers, email addresses, and credit card numbers all change. People's interests change. People have children, and their children grow up. Personal information collected today will be much less useful to advertisers and hackers ten years from now.

      We need to stop the collection and leaking of personal information. In time privacy will reestablish itself.

      --
      "I'm too busy to research this and form an educated opinion, but I do have time to tell everyone my uninformed opinion."
  4. about the company by ole_timer · · Score: 1

    Greg Williams COO Greg brings over 20 years of Internet marketing experience as both an Internet entrepreneur and operational leader in the data and digital marketplace. During his tenure, he has developed a multitude of successful business relationships that continue to thrive. Greg oversees the day to day operations of Exactis and plays an integral role in our platform and data development projects including but not limited to data123.com, autoappend.com, and dataverification.com. but nothing about security... William Pearson CTO Will is a highly accomplished IT Executive designing and developing self-service software applications built on BIG Data, running in Cloud Infrastructure in highly secure environments, leveraging analytics and yielding high profits and rapid growth. He is responsible for technology strategy which includes highly accurate and automated data processing, cloud infrastructure, MS Azure platform-as-a-service, Cloudera / Hadoop Data Management Platform, APIs, Marketing Automation Platform, Analytics, and Digital Marketing.

    --
    nothing to see here - move along
    1. Re:about the company by Anonymous Coward · · Score: 0

      Would castration be too good for these yoyos?

    2. Re:about the company by Anonymous Coward · · Score: 0

      Would castration be too good for these yoyos?

      If we're going to chop something off these fuckers lets go straight for the head. No need to cut the balls off.

    3. Re: about the company by Anonymous Coward · · Score: 0

      Yes, its too good for these kinds of shit stains. The eighth amendment shouldn't apply for them. They should be executed for this, and in the most painful way possible.

    4. Re:about the company by Anonymous Coward · · Score: 0

      Bingo!

      Anybody else win with the above?

    5. Re: about the company by Anonymous Coward · · Score: 0

      Start with the clit of Susan Mauldin who was the Chief Security Officer Of Equifax

    6. Re:about the company by Anonymous Coward · · Score: 0

      Why? People like this bring jobs and money to the sector, and he likely drives a better car than you.

    7. Re:about the company by Anonymous Coward · · Score: 0

      I like that on their website http://www.exactis.com/our-data/, the accentuate the fact that the phone numbers they have are "Pre-DNC", i.e. before the Do Not Call registry was started. Classy.

    8. Re: about the company by Anonymous Coward · · Score: 0

      I see youâ(TM)re making a compelling argument for mob style executive executions.

    9. Re:about the company by Anonymous Coward · · Score: 0

      Only if it's not done with a dull, rusty spoon.

    10. Re:about the company by Desler · · Score: 1

      The data aggregation sector can go to hell and die in a fire.

  5. Marketing/Sales by Anonymous Coward · · Score: 0

    At this point can we get Elon Musk to make a special one-way rocket so we can fire all the marketing and sales people into the Sun?

    I'm sure we can get a highly successful GoFundme for this.

    1. Re: Marketing/Sales by Anonymous Coward · · Score: 0

      Add HR to the list, too.

    2. Re: Marketing/Sales by Anonymous Coward · · Score: 0

      Don't forget MBAs.

    3. Re: Marketing/Sales by Anonymous Coward · · Score: 0

      Or sociopath engineers -- terrorist threat

  6. Did anyone else read 340 million records by Anonymous Coward · · Score: 0

    and think that's a lot of vinyl and do a double take?

  7. Does Amazon want them to leak 340 million records? by Anonymous Coward · · Score: 0

    Sorry, I just thought it went with the theme

  8. Re:Let's add them to the prison database by rnturn · · Score: 1

    Bingo!

    Screw the "corporate veil". Until someone in the management structure of the companies that collect all this data--and then allow it to leak onto public networks--goes to jail for most of their remaining years, they're simply not going to take data security seriously enough.

    --
    CUR ALLOC 20195.....5804M
  9. This is what the GDPR was crafted for... by Anonymous Coward · · Score: 2, Interesting

    These are the companies that the GDPR was meant to go after. Companies nobody knows what they do, slurp tons of data, get hacked, and cause all kinds of trouble. If they have any Europeans on their rolls, people should send them the GDPR Letter From Hell.

    It would be nice if we saw similar protection laws here in the US.

    1. Re:This is what the GDPR was crafted for... by Anonymous Coward · · Score: 0

      A US version of GDPR will not happen as long as voters are worthless garbage that fervently believe in the lies of corporate shills.

      American freedom is dead because Americans don't want freedom anymore.

    2. Re:This is what the GDPR was crafted for... by Krishnoid · · Score: 1

      Go *after*? This is one of the most proactive data disclosures I've seen from any organization.

    3. Re:This is what the GDPR was crafted for... by Anonymous Coward · · Score: 1

      Proactive? They didn't disclose it, a security researcher did. "Exactis did not respond to multiple calls and emails from WIRED asking for comment on its data leak."

  10. Whew, good thing they let the FBI know by Anonymous Coward · · Score: 0

    Cause they don't leak at all either.

  11. That's Free Enterprise, Baby! by 93+Escort+Wagon · · Score: 0

    Government regulation is for CHUMPS! Boo yah!

    --
    #DeleteChrome
  12. Re:Let's add them to the prison database by White+Yeti · · Score: 3, Funny

    I also had fleeting hope that Experian would be driven out of business. Oh well...

  13. Serial stalker by Bob+the+Super+Hamste · · Score: 2

    If I collected that much data on a just a handful of random people I would be called a serial stalker and brought up on charges. Why doesn't the same thing happen to these companies?

    I also wonder with all of these giant data brokers out there collecting this much data on everyone why is it so many companies screw the pooch when trying to collect debts. For example couple years back I had a case where a debt collector was trying to collect a student loan debt from me that was older than I am and the only match was on the first name.

    --
    Time to offend someone
    1. Re:Serial stalker by OrangeTide · · Score: 1

      Perhaps you haven't made the right campaign contributions. Also you have not laid down the proper legal boiler plate by establishing a legal personhood known as a corporation.

      --
      “Common sense is not so common.” — Voltaire
    2. Re:Serial stalker by Aighearach · · Score: 2

      If I collected that much data on a just a handful of random people I would be called a serial stalker and brought up on charges.

      No, you wouldn't.

      In stalking, the crime is about contacting the victim repeatedly after they've instructed you to stop. It is about unwanted contact, not about the collecting of data. If a stalker never made any contact, it would never become illegal.

      Generally when you tell people working with the sort of data in the story to stop contacting you, they do; the next time the company contacts you it is a different person calling.

      A key part of the stalking laws is that the victim would reasonably be afraid for their physical safety. That isn't the case in telemarketing, etc., or the mere storage of data.

    3. Re:Serial stalker by Anonymous Coward · · Score: 0

      If I collected that much data on a just a handful of random people I would be called a serial stalker and brought up on charges. Why doesn't the same thing happen to these companies?

      I also wonder with all of these giant data brokers out there collecting this much data on everyone why is it so many companies screw the pooch when trying to collect debts. For example couple years back I had a case where a debt collector was trying to collect a student loan debt from me that was older than I am and the only match was on the first name.

      We already collect this information on people all the time without charges. Most of us spend years collecting tidbits of information about our friends, family, loved ones, neighbors, co-workers, and the people in their networks. You're not a serial stalker for remembering that job they had when they were 16, that time they had that surgery or that time you met their maternal grandmother.

      The modern problem is that this slurping is done at scale, sometimes with little knowledge that we're giving away this information, and without the benefit of human forgetfulness. I worked with people that shared way too much about themselves, and thankfully for all involved, decades later I can't even remember their last names. Nowadays, just thinking about the number of sites I've had to supply information to just to purchase a single damn thing is depressing, and worse because once I've given it up, I can't get it back and don't know where it's going to go. Right now we're at the shell game stage of things where the information has been disseminated, reassembled and remixed so many times it's hard to know who got what where.

    4. Re:Serial stalker by Anonymous Coward · · Score: 0

      It's a matter of scale.

      Collecting data on one person is stalking. Collecting data on a billion people is marketing.

    5. Re:Serial stalker by Anonymous Coward · · Score: 0

      25$ file a DBA in your local courthouse so its 'business'y then go start collecting.

      Last I checked the numbfucks in Washington haven't passed any laws making it illegal to do what Facebook Clients and Exactis do.

      Because they want the data, too!

      Your privacy and my privacy isn't as important as Obama 2 being able to call the Facebook and ask where all the 'right' voters are.

    6. Re:Serial stalker by Anonymous Coward · · Score: 0

      I doubt Exactis lives with you, spends time, sharing and is a part of family as a member. It's more a stranger you don't know, or ever heard of collecting a lot of personal information on you, your kids, friends, interests, income, ownership, and whatever else the stranger can lay their hands on.

      If a cop started to collect this information on you and keep it in a database you'd freak out, if a friend would compile a database on you, you'd freak out. But when a complete stranger, a corporate overlord does it, it doesn't really bother you? Now, who do they sell this information to? State Tax Collector? Police? Criminals?

      You are a corporate bitch, a corporation cannot do anything wrong, it's a god for you north american brainwashed sheep.

  14. Put a financial cost to this. by backbyter · · Score: 1

    When a company cannot secure the PI data it collects, then it should pay a fine for each person's data that it exposed.

    Call the fine $120, which should be the low ball of credit monitoring for a year. (https://www.creditcards.com/credit-card-news/pros-cons-credit-monitoring-services-1282.php)

    This amount should be payable to each person to do with as they wished. (I have multiple credit monitoring plans being ran on me already this year. I'd rather have the cash.)

    1. Re:Put a financial cost to this. by OrangeTide · · Score: 1

      Just ban the collection, consolidation, and exchanging of such information. It doesn't serve the public good. Businesses have operate just fine in the past without this information.

      The law can be simple. Unless I have done business with you, you don't get to keep records on me. If you wish to exchange or share records on me, you must get my explicit permission. Some of the information sold is from public records, but what is key here is that it also includes additional data not in public records. It's how marketing research companies add value to otherwise public data and is the core of their business.

      --
      “Common sense is not so common.” — Voltaire
    2. Re:Put a financial cost to this. by AvitarX · · Score: 1

      This would prevent large companies with something to lose from doing it, but would do nothing for companies where it is their only gig.

      Run the company, make money, and if something leaks, bankrupt the company and be done.

      I guess it kills the collect data and get purchased out business model.

      --
      Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
    3. Re:Put a financial cost to this. by SoftwareArtist · · Score: 1

      Even a very small fine could make a big difference. Maybe $1 for less sensitive data like email addresses and phone numbers, $10 for more sensitive things like credit card numbers and social security numbers. But this would be the minimum statutory fine, independent of any damages caused. If someone can show they were hurt by the leak, they can still sue for compensation.

      The main effect of this would likely be to make companies a lot more selective about what data they collect. Say you have a database of a million people. Do you really need to include their home addresses? If you do, that adds $1 million to the fine if it gets leaked. How about the ages of their children? That's another million dollars. You'd better consider every column of the database carefully, because each one adds to your potential liability.

      --
      "I'm too busy to research this and form an educated opinion, but I do have time to tell everyone my uninformed opinion."
    4. Re:Put a financial cost to this. by DethLok · · Score: 1

      Phoenix laws soon put a stop to that.

      Your country DOES have Phoenix laws, doesn't it?

  15. How's this different from Spokeo and others? by Anonymous Coward · · Score: 0

    It seems that this is only one of many companies that collect public data.

  16. Beatings ... by Anonymous Coward · · Score: 0

    You know, I've given up ... it's time to start physical beatings of the assholes who work for companies like this, and to start cutting off fingers when they leak this shit.

    I didn't consent to you having my information, I don't have a business relationship with you, and I don't want you to have my fucking data.

    These people are fucking parasites, utterly incompetent at data privacy and security (because they're lazy and greedy) .. and if lawmakers aren't going to rein in these assholes, then someone needs to.

    Say what you will about the GRDP, but it at least seems to get the point that we're not here to be a profit center for some greedy asshole of a marketing company.

    If nothing else, get a fucking list of their employees, publish their personal information, and everybody go and take a shit on their lawn (or car).

    And people wonder why I have ad blockers and block the shit out of this stuff.

  17. Europe got this right by Anonymous Coward · · Score: 0

    GDPR would bankrupt companies like this overnight. The US should do the same.

  18. Lifetime in prison by Anonymous Coward · · Score: 0

    Lifetime imprisonment without parole for the CEO and everyone under him in the chain of command, who were responsible for this data breach. The attorney general of Florida should act on this case immediately. This case should set a precedent throughout the USA, for companies to safeguard personal information about US citizens.

  19. Leakis Exactis? by AlejandroTejadaC · · Score: 1

    This is what I though, after reading: "Exactis leaked..."

  20. Marketing Firm Exactis Leaked ... by grep+-v+'.*'+* · · Score: 1

    OK, so corporations want to be people? Fine.

    Take 'em to court. Presumably they'll lose with a fine and jail-time. The company pays the fine, and as the jail time? That's for the CEO.

    He's the "brains" and "leader" of the operation? Let's treat him exactly that way.

    --
    If the universe is someone's simulation -- does that mean the stars are just stuck pixels?
    1. Re:Marketing Firm Exactis Leaked ... by Anonymous Coward · · Score: 0

      This is not illegal in the US. Leaking the data may be, but even that is not really clear if someone 'stole' it.

  21. Why not leak the Congresscritters' personal info? by Anonymous Coward · · Score: 0

    With all these huge data breaches lately, why hasn't anyone leaked everything on the politicians in Congress (both parties) and CEOs of the data harvesting companies? Yes, it not nice. Yes, it is divulging personal information. But seems the only way to pass laws which meaningfully punished these companies, their boards and CEOs, CTOs, etc. is when those in power suffer like the average person. Until then, they take their bribes^H^H^H^H^H^Hcampaign contributions and nothing will change.

  22. Re: databases by Anonymous Coward · · Score: 0

    Ever wonder why there are so many hacks of big databases. It's not the "security infrastructure" that is to blame, instead it is that crypto has been completely made irrelevant by some big crime groups, who have quantum (yes, that quantum) computers. This is just the beginning, and the feeding frenzy is about to start ...