Marketing Firm Exactis Leaked a Personal Info Database With 340 Million Records

You've probably never heard of the marketing and data aggregation firm Exactis. But it may well have heard of you. And now there's also a good chance that whatever information the company has about you, it recently leaked onto the public internet, available to any hacker who simply knew where to look. From a report: Earlier this month, security researcher Vinny Troia discovered that Exactis, a data broker based in Palm Coast, Florida, had exposed a database that contained close to 340 million individual records on a publicly accessible server. The haul comprises close to 2 terabytes of data that appears to include personal information on hundreds of millions of American adults, as well as millions of businesses. While the precise number of individuals included in the data isn't clear -- and the leak doesn't seem to contain credit card information or Social Security numbers -- it does go into minute detail for each individual listed, including phone numbers, home addresses, email addresses, and other highly personal characteristics for every name. The categories range from interests and habits to the number, age, and gender of the person's children.

"It seems like this is a database with pretty much every US citizen in it," says Troia, who is the founder of his own New York-based security company, Night Lion Security. Troia notes that almost every person he's searched for in the database, he's found. And when WIRED asked him to find records for a list of 10 specific people in the database, he very quickly found six of them. "I don't know where the data is coming from, but it's one of the most comprehensive collections I've ever seen," he says.

someone have a link to the torrent?

[onepoint]

anyone?

Re:someone have a link to the torrent?

[mi]

Seriously, if anyone has the data, I want to have it too...

Re:someone have a link to the torrent?

[starblazer]

ZOMG MEE TOO.

Re:someone have a link to the torrent?

[onepoint]

you know what's interesting,
You replied wanting to know, and you're a 5 digit uid so you might be 1998 or 1999
the guy above you is 6 digit's and lower than mine 1999 or 2000
and me early 2000 ( I had one that was in the 147K range but I forgot the password )
so what's interesting is that we are all similar group and we all thought similar.
I will now want to ponder why
I've done the same reply to the guy above

Re:someone have a link to the torrent?

[onepoint]

you know what's interesting,
You replied wanting to know, and you're 6 digit's and lower than mine 1999 or 2000
the guy below you is a 5 digit uid so he might be 1998 or 1999
and me early 2000 ( I had one that was in the 147K range but I forgot the password )
so what's interesting is that we are all similar group and we all thought similar.
I will now want to ponder why.
did the same type of reply to the guy below

Re:someone have a link to the torrent?

[burningcpu]

I'm still waiting for the interesting part.

Re:someone have a link to the torrent?

[sysrammer]

Mi two.

Re:someone have a link to the torrent?

[sysrammer]

I'm still waiting for the interesting part.

"The reconstruction machine wraps thermal bandages around Leeloo's body, yet she ends up with an extra bandage between her crotch & neck. "

You're welcome.

from thier web site

[ole_timer]

Data is the fuel that powers Exactis. Warehousing over 3.5 billion consumer, business, and digital records, The Exactis Data Cloud provides knowledge and insight to hundreds of firms enabling them to achieve marketing success through the use of high quality data. The Exactis data cloud is one of the largest and most respected in the data marketing industry. It is constructed of hundreds of compiled and proprietary data sources, has over 400 different selects, and utilizes a triple verification process to guarantee accurate targeting. This includes demographic, geographic, firmographic, lifestyle, interests, CPG, automotive, and behavioral data.

Re:from thier web site

[postbigbang]

Let's add them to the prison database, with a field called: InForLife.

Re:from thier web site

[Killall+-9+Bash]

Heat energy from the sun causes data in the Data Ocean to evaporate. This data rises into the internets. At high altitude, the internets is very cold, causing the data to coalesce into data breaches, which then fall from the sky in a constant stream.

That's it, I'm calling it

[theCat]

At this point, there have been so many "leaks" (whatever the fuck that means) of PI that we have reached a point where there simply is NO remaining PI for anyone older than 18 months old. It's all out there now. Everything about you is in the wild, including things you didn't know about yourself. Everyone now lives in a fishbowl. Get used to it.

I have a modest proposal. To even the playing field (and to make hoarding PI no longer profitable) there ought to be a national database of all our PI that has an open API for anyone wants to access, at any time. Period. One and done. "Securing" PI would then be a form of theft, a felony. Anyone caught collecting and storing PI outside the public domain would be arrested for information crimes (espionage) and if convicted, thrown in prison.

Re:That's it, I'm calling it

[pr0fessor]

How about a federal do not track database like the federal do not call database. Oh wait, they get around that by either saying you agreed to it when you did (pick something) or they are just simply criminals to begin with.

Re:That's it, I'm calling it

[ole_timer]

you agreed to let them collect...in any case businesses tend to have more rights than consumers...at least in the US

Re:That's it, I'm calling it

[ole_timer]

congress would have to act and the lobby by businesses would be dead set against...

Re:That's it, I'm calling it

[Hylandr]

The Führer would be so proud of you!

Re:That's it, I'm calling it

[pr0fessor]

The you agreed argument is often times not an agreement as much as a condition in fine print hidden within a bunch of incomprehensible legalese. Whether it's your cell provider, the finance company that gave you your car loan, or the power company, it's rarely spelled out in plane language and your are not always given an option to to opt out.

After I purchased a new car I started getting calls for insurance and an extended warranty... Had I been given an option to opt out of them sharing my info with third party marketers I would have.

 

Re:That's it, I'm calling it

[ole_timer]

that's the point - we can only opt out on certain transactions - businesses have rights over consumers in US...congress needs to act...EU has it flipped - consumers come first

Re:That's it, I'm calling it

Funny thing. I bought a new car in December 2016 from a Dodge dealer in Florida. And I was given an option to opt out of that stuff, and did.

Yet, I still got the same junk calls and mail. Dug a little into it and found out that it wasn't Dodge that sold my info, it was the fucking DMV. That's right, the fucking state tax collector sold my info.

Re:That's it, I'm calling it

[vlueboy]

Nope, they don't have mine because I'm not a consumer whore like y'all.

Must not live in the USA then. Look up Equifax's 2017 leak of 143+ million records on US dwellers if you need your memory refreshed about systematic collection that is dispassionate about YOU taking any consumer-ish steps. The big financial system is set up so they go straight to all your financial entities, which then happily leak YOUR data in the form of unhideable credit reports available to anyone with the right background. I believe this is supported by governmental edicts (think, public court records and not so public loan and default information) in exchange for who knows what.

When I saw the 340m number, I thought "wait, are they even in the US alone?" Lo and behold, as of tonight, http://worldpopulationreview.c... estimates 320 million US inhabitants. Either we have tons of foreigners inadvertently caught in the web (ouch, you poor Europeans in practice were too late with your GDPR) or the data is replete with dead weight (almost 10% being dead North Americans).

I posit there is a healthy mixture of both, with a sprinkle of fake and inaccurate data in there... Credit reports from a decade ago were full of discrepancies between the big 3 credit reporting agencies wrt the accounts they were tracking, plus inaccurate addresses / Dates of birth / mixed data that belonged to a relative. I saw this same trend with my name under Spokeo et al as recently as 3 years ago, so I won't hold my breath that a greedy firm with more records than feasible US householders will actually have accurate data.

Think "number padding". Just like Facebook's "1 billion active users!!!!!!111!!" claim fails to clarify what percentage was bots, fakes and well-meaning sockpuppet / alt accounts you guys all have for discreet stalking :)

Re:That's it, I'm calling it

[SoftwareArtist]

A lot of that information goes out of date quickly. Home addresses, phone numbers, email addresses, and credit card numbers all change. People's interests change. People have children, and their children grow up. Personal information collected today will be much less useful to advertisers and hackers ten years from now.

We need to stop the collection and leaking of personal information. In time privacy will reestablish itself.

about the company

[ole_timer]

Greg Williams COO Greg brings over 20 years of Internet marketing experience as both an Internet entrepreneur and operational leader in the data and digital marketplace. During his tenure, he has developed a multitude of successful business relationships that continue to thrive. Greg oversees the day to day operations of Exactis and plays an integral role in our platform and data development projects including but not limited to data123.com, autoappend.com, and dataverification.com. but nothing about security... William Pearson CTO Will is a highly accomplished IT Executive designing and developing self-service software applications built on BIG Data, running in Cloud Infrastructure in highly secure environments, leveraging analytics and yielding high profits and rapid growth. He is responsible for technology strategy which includes highly accurate and automated data processing, cloud infrastructure, MS Azure platform-as-a-service, Cloudera / Hadoop Data Management Platform, APIs, Marketing Automation Platform, Analytics, and Digital Marketing.

Re:about the company

[Desler]

The data aggregation sector can go to hell and die in a fire.

Re:Let's add them to the prison database

[rnturn]

Bingo!

Screw the "corporate veil". Until someone in the management structure of the companies that collect all this data--and then allow it to leak onto public networks--goes to jail for most of their remaining years, they're simply not going to take data security seriously enough.

This is what the GDPR was crafted for...

These are the companies that the GDPR was meant to go after. Companies nobody knows what they do, slurp tons of data, get hacked, and cause all kinds of trouble. If they have any Europeans on their rolls, people should send them the GDPR Letter From Hell.

It would be nice if we saw similar protection laws here in the US.

Re:This is what the GDPR was crafted for...

[Krishnoid]

Go *after*? This is one of the most proactive data disclosures I've seen from any organization.

Re:This is what the GDPR was crafted for...

Proactive? They didn't disclose it, a security researcher did. "Exactis did not respond to multiple calls and emails from WIRED asking for comment on its data leak."

Re:Let's add them to the prison database

[White+Yeti]

I also had fleeting hope that Experian would be driven out of business. Oh well...

Serial stalker

[Bob+the+Super+Hamste]

If I collected that much data on a just a handful of random people I would be called a serial stalker and brought up on charges. Why doesn't the same thing happen to these companies?

I also wonder with all of these giant data brokers out there collecting this much data on everyone why is it so many companies screw the pooch when trying to collect debts. For example couple years back I had a case where a debt collector was trying to collect a student loan debt from me that was older than I am and the only match was on the first name.

Re:Serial stalker

[OrangeTide]

Perhaps you haven't made the right campaign contributions. Also you have not laid down the proper legal boiler plate by establishing a legal personhood known as a corporation.

Re:Serial stalker

[Aighearach]

If I collected that much data on a just a handful of random people I would be called a serial stalker and brought up on charges.

No, you wouldn't.

In stalking, the crime is about contacting the victim repeatedly after they've instructed you to stop. It is about unwanted contact, not about the collecting of data. If a stalker never made any contact, it would never become illegal.

Generally when you tell people working with the sort of data in the story to stop contacting you, they do; the next time the company contacts you it is a different person calling.

A key part of the stalking laws is that the victim would reasonably be afraid for their physical safety. That isn't the case in telemarketing, etc., or the mere storage of data.

Put a financial cost to this.

[backbyter]

When a company cannot secure the PI data it collects, then it should pay a fine for each person's data that it exposed.

Call the fine $120, which should be the low ball of credit monitoring for a year. (https://www.creditcards.com/credit-card-news/pros-cons-credit-monitoring-services-1282.php)

This amount should be payable to each person to do with as they wished. (I have multiple credit monitoring plans being ran on me already this year. I'd rather have the cash.)

Re:Put a financial cost to this.

[OrangeTide]

Just ban the collection, consolidation, and exchanging of such information. It doesn't serve the public good. Businesses have operate just fine in the past without this information.

The law can be simple. Unless I have done business with you, you don't get to keep records on me. If you wish to exchange or share records on me, you must get my explicit permission. Some of the information sold is from public records, but what is key here is that it also includes additional data not in public records. It's how marketing research companies add value to otherwise public data and is the core of their business.

Re:Put a financial cost to this.

[AvitarX]

This would prevent large companies with something to lose from doing it, but would do nothing for companies where it is their only gig.

Run the company, make money, and if something leaks, bankrupt the company and be done.

I guess it kills the collect data and get purchased out business model.

Re:Put a financial cost to this.

[SoftwareArtist]

Even a very small fine could make a big difference. Maybe $1 for less sensitive data like email addresses and phone numbers, $10 for more sensitive things like credit card numbers and social security numbers. But this would be the minimum statutory fine, independent of any damages caused. If someone can show they were hurt by the leak, they can still sue for compensation.

The main effect of this would likely be to make companies a lot more selective about what data they collect. Say you have a database of a million people. Do you really need to include their home addresses? If you do, that adds $1 million to the fine if it gets leaked. How about the ages of their children? That's another million dollars. You'd better consider every column of the database carefully, because each one adds to your potential liability.

Re:Put a financial cost to this.

[DethLok]

Phoenix laws soon put a stop to that.

Your country DOES have Phoenix laws, doesn't it?

Leakis Exactis?

[AlejandroTejadaC]

This is what I though, after reading: "Exactis leaked..."

Marketing Firm Exactis Leaked ...

[grep+-v+'.*'+*]

OK, so corporations want to be people? Fine.

Take 'em to court. Presumably they'll lose with a fine and jail-time. The company pays the fine, and as the jail time? That's for the CEO.

He's the "brains" and "leader" of the operation? Let's treat him exactly that way.