After the massive Equifax breach that exposed nearly 143 million Americans' critical data, it's hard to think of a breach that could be larger in scope. But, believe it or not, it just happened.
This latest data breach may just have more than doubled the Equifax breach's headcount! If you're a U.S. citizen, you and your children are most likely affected by this incredibly massive data leak.
Read on and find out what happened and what personal information is at risk.
A marketing and data aggregation firm called Exactis may have just leaked the personal information of nearly 340 million U.S. citizens including phone numbers, home addresses, email addresses, interests and even the number, age and gender of their children.
How massive is this data leak? Well, it may very well include the information of the entire U.S. population.
What is Exactis anyway? The company is not exactly a household name but it is one of the largest compilers and collectors of consumer data. Based in Palm Coast, Florida, Exactis claims to have over 3.5 billion records in their database.
Data broker Exactis tracks about 400 traits on every American. That information is now out in the wild. A hacker can drain your bank account using your email address. Listen to this Komando On Demand Podcast for a deep look into how this data got leaked by the company and what you need to do now.
According to a Wired report, the massive database was discovered by security researcher Vinny Troia while scanning the internet with Shodan, a popular search engine for exposed ports and database.
Troia said that the 2 terabyte database, which contained around 340 million individual records, was stored in a publicly available server, completely exposed and out in the open, unprotected by any sort of firewall.
What information was exposed?
Although the exact number of affected individuals is still unclear at this point, Troia noted that the database does indeed contain the personal details of specific individuals including phone numbers, home addresses, email addresses, and other sensitive information.
The information ranges from interests and habits to the number, age, and gender of the person's children.
Since it's data that are meant for targeted marketing, each record even contains individual characteristics like whether a person smokes, what their religion is, whether they are pet owners, and even niche interests like scuba diving or plus-sized apparel.
"It seems like this is a database with pretty much every U.S. citizen in it," Troia told Wired. "I don’t know where the data is coming from, but it’s one of the most comprehensive collections I’ve ever seen."
But where does Exactis' consumer information come from? It's likely that the data come from a number of sources including magazine subscriptions, credit card transaction data, and credit reports.
Thankfully, it looks like personal financial information like credit card numbers and Social Security numbers are not included in the breach. Troia also noted that even though most of the data is authentic, not every piece of it was up-to-date or verifiable.
Troia already informed both Exactis and the FBI about the exposed database last week. Although Exactis has not confirmed the leak, the data has since been protected and it's no longer accessible.
Although there's no evidence that hackers have maliciously accessed the Exactis database, Troia can't really say for sure.
"I’d be surprised if someone else didn't already have this," he told Wired.
We spoke to cybersecurity lawyer Steven Teppler about the implications of this breach and he said that Exactis breach is "a perfect storm."
"If confirmed, the Exactis data breach combines the worst of the two largest breaches to date: Equifax and Facebook," Teppler told Komando.com. "First it contains types of information leaked in the Equifax breach.
"Second, the type of information breached (reportedly 400 categories) also appears to include even more detailed personal preferences and information than was disseminated in the Facebook breach," he added.
Note: Steven Teppler will debut his very own Cyberlaw Now podcast next week on the KomandoCast Network. Stay tuned!
Are you at risk ?
Now, although sensitive financial information like credit card numbers and Social Security numbers weren't part of the Exactis leak, the data can still be used for identity theft.
For example, combined with data from other breaches (such as Equifax's), a hacker can build a more complete and accurate profile on an individual.
Additionally, the variety of detailed personal information included in the Exactis database can be used to launch social engineering attacks.
What to do after a data breach
Whenever a big data breach like this occurs, there are standard security steps that we should all take.
First, you should already be frequently checking your bank statements, looking for suspicious activity. If you see anything that seems strange, report it immediately to your bank. It's the best way to keep your financial accounts safe.
Scammers will try and piggyback on data breaches like this. Beware of phishing scams that pretend to be from affected companies like banks, credit bureaus, credit card companies and even Exactis itself.
It's also a good time to audit your online accounts and passwords. This is especially true if you use the same credentials for multiple websites.
Lastly, if you think you are already compromised, put a credit freeze on your accounts as soon as you can.
In related news, hackers have your credit card number and personal data if you ate here
This is not the only breach that's making headlines now. If you've eaten at this restaurant recently, hackers may already have your data! Click here to read more about it.