Comprehensive data on 33.7 million US business contacts leaked

A database containing extensive data on 33.7 million American business contacts has been leaked. The database contains data from government officials, business people and journalists. The data is sold by a company to marketers.

Security researcher Troy Hunt got hold of the database containing 52.2GB of data. He suspects that the data was stolen from an unsecured MongoDB server. The database contains 33.7 million contacts described in detail. For example, Hunt shows the data of ZDNet journalist Zack Whittaker, with whom he collaborated to determine the origin of the database.

In addition to Whittaker’s e-mail address, telephone numbers and position, there is information about the company where he works, its parent company, what its turnover is and how many employees the company has. This often concerns information that is publicly available and the data would also have been collected legitimately. Hunt notes that the data is neatly organized and checked for accuracy.

The ZDNet journalist discovered that the database comes from NetProspex, a service for marketers owned by the American company Dun & Bradstreet. The company sells contact information from the database to companies. A 2015 brochure shows that the company is charging up to $200,000 for access to half a million contacts.

D&B, which owns the database, says it is investigating the leakage of the data. Because the company sells the data to other parties, it is difficult to trace where the leak took place. In some cases, buyers may also resell the data themselves.

The database only contains contacts from the United States. The contacts are arranged per company and per department and function. For example, there are more than one hundred thousand contacts from the US Department of Defense, with ten thousand different functions, ranging from ‘Soldier’ ​​to ‘Ammunition Specialist’ and ‘Intelligence Analyst’. Companies such as AT&T, Boeing, Dell, FedEx, IBM and Xerox have data from tens of thousands of employees in the database.

Troy Hunt has added the data to his HaveIBeenPwned website so that people whose data is in the database can be notified. Although according to D&B it concerns data that has been obtained legally, the leaking of the database poses risks, according to Hunt. For example, the data of high-ranking individuals within companies could be used for whaling.