The database was stored on a publicly accessible server, and within it were detailed records on 230 million Americans and 110 million businesses. Security researcher Vinny Troia of Night Lion Security is credited with discovering the gaping hole in Exactis’ database, and told Wired, “It seems like this is a database with pretty much every US citizen in it. I don’t know where the data is coming from, but it’s one of the most comprehensive collections I’ve ever seen.”
The database was 2TB in size and contains plenty of identifiable information — luckily, credit card information and social security numbers were not revealed. However, the database did include names, phone numbers, home addresses, email addresses, and other details that could quickly identify a person. In fact, there were over 400 variables that could model a person in exacting detail. For example, things like religion, whether the person smoked or not, or if they had any pets are found within the database.
As Wired points out, the chances of financial fraud are relatively low due to the fact that banking details and social security numbers weren’t included in the breach. However, the comprehensive profiles on individuals could be used in social engineering that is common with scammers.
Exactis brags about its data-collecting prowess by writing on its site, “Data is the fuel that powers Exactis. Layer on hundreds of selects including demographic, geographic, lifestyle, interests, and behavioral data to target highly specific audiences with laser-like precision.” It appears that properly securing its highly-sensitive database isn’t among those “powers”.
Equifax grabbed headlines last year when it was revealed that a data breach resulted in the leaking of social security numbers associated with roughly 144 million Americans.