Skip to Content
Security & privacy

Massive data leak exposes millions of U.S. citizens’ and companies’ records

Data breaches are commonplace in the digital world that we now live in. We are constantly telling you how cybercriminals are causing havoc. They use various hacking methods like brute force, social engineering and software exploits to steal personal data.

Sometimes, though, hackers aren’t to blame for exposing victims’ personal data. As proven in the past quite too often, companies who fail to secure their websites and databases properly could be leaking your information in the open, too. And the worse part is this – not even the best security precautions can protect you from these data breaches!

Read on and learn about the latest massive data breach caused by an unsecured server. This one is so extensive, it has exposed the information of millions of Americans!

Another day, another data breach

A massive database containing over 114 million records of U.S. citizens and companies have been found to be exposed online unprotected. The estimated number of affected individuals? A whopping 83 million.

The 73 GB data breach was discovered by cybersecurity firm HackenProof during a routine internet scan of publicly exposed servers with Shodan. The data appears to be Elasticsearch clusters that were improperly misconfigured for public view.

Fun fact: Shodan is a free search engine tool used for tracking exposed ports, databases and vulnerable web-connected appliances. Elasticsearch is a free database search engine popular with cloud services such as Amazon Web Services.

The first indexed cache of data exposed the personal information of around 57 million U.S. citizens including their first name, last name, employer, job title, email, address, state, ZIP code, phone number and IP address.

Image Credit: HackenProof

Another index of the same database exposed more than 25 million “Yellow Pages-style” records including name, company details, ZIP code, carrier route, latitude/longitude, census tract, phone number, web address, email, employees count, revenue numbers, NAICS codes, and SIC codes.

Image Credit: HackenProof

Who leaked the data?

Although the source of the leak cannot be readily determined, HackenProof’s analysis of the data structure suggests that it’s similar to those used by data aggregating firm Data & Leads.

Data & Leads is a self-described “data & lead solution company from Toronto, Canada” and it has been around for around 10 years.

It looks like the Data & Leads website was inaccessible before HackenProof published the breach. At the time of this writing, the entire Data & Leads website is still offline.

Is the data still exposed?

The exposed database is no longer exposed as of November 28 but it is not known how long the information has been publicly accessible nor if someone already mined the data.

See, Shodan is not only used by security researchers (good guys) and but by hackers and data miners (bad guys), too. Although Shodan’s timestamp of the exposed database is on November 14, other entities may have discovered and exploited it before that time.

Since we take precautionary steps in our lives every day to stay protected from digital threats, it’s scary to think that some companies who handle massive caches of our personal information can be so careless. It’s not just hackers we need to worry about but publicly exposed databases, too.

Click here to view HackenProof’s fact sheet about this breach.

What to do after a data breach?

Exposed databases are nothing new and they seem to occur on a regular basis. Needless to say, if the information gets into the hands of scammers, it could lead to all kinds of malicious activity, including phishing scams. To protect yourself from the inevitable fallout, here are some suggestions:

  • Investigate your email address  Have I Been Pwned is an easy-to-use site with a database of information that hackers and malicious programs have released publicly. It monitors hacker sites and collects new data every five to 10 minutes about the latest hacks and exposures.
  • Change your password – Whenever you hear news of a data breach, it’s a good idea to change your account passwords. Read this article to help you create hack-proof passwords.
  • Close unused accounts – Here’s an easy way to manage all of your online accounts at once.
  • Beware of phishing scams – Scammers will try and piggyback on huge breaches like this. They will create phishing emails, pretending to be the affected company, hoping to get victims to click on malicious links that could lead to more problems. Take our phishing IQ test to see if you can spot a fake email.
  • Manage passwords – Many people use the same username and password on multiple sites. This is a terrible practice and you should never do it. If you’re using the same credentials on multiple sites, change them to make them unique. If you have too many accounts to remember, you could always use a password manager.
  • Keep an eye on your bank accounts – You should be frequently checking your bank statements, looking for suspicious activity. If you see anything that seems strange, report it immediately.
  • Check email security settings – Make sure the email account associated with the hacked site has updated security settings.
  • Have strong security software – Protecting your gadgets with strong security software is important. It’s the best defense against digital threats.

Refer friends, earn rewards

Share your source of digital lifestyle news, tips and advice with friends and family, and you'll be on your way to earning awesome rewards!

Get started