Security researchers have found a database containing information about 1.2 billion people. The database does not contain sensitive data such as credit card numbers or passwords, but does contain information about the profiles they have. It also contains telephone numbers and e-mail addresses.
The database was found by researchers Bob Diachenko and Vinny Troia. They searched for other information via Shodan and came across the database by accident, as it were. It is a total of four terabytes in size, and contains more than four billion user accounts of 1.2 billion unique people. The records also contain 50 million unique phone numbers and 622 million unique email addresses. The data was stored on an Elasticsearch server on the Google Cloud. The investigators called the FBI after their discovery. He took the server offline shortly afterwards.
The data seems to come from four different databases that have been put together. Three of those are believed to come from a San Francisco data company called People Data Labs. It writes on its website that it has a database of 1.5 billion unique users. It sells that data to companies or advertisers. The fourth database is most likely from Oxydata. The now leaked database is not from them, but probably from one of their customers. “The owner of this server probably used one of our products, along with other products,” the owner of People Data Labs told Wired. “Once a customer has access to our data, it resides on their servers and those customers are responsible for its security.”
The large amounts of data are likely aggregated from social media profiles such as Twitter, Facebook and LinkedIn. Data companies do that kind of aggregation and then sell that data on to other companies who can use it to build advertising profiles. With such data enrichment, buyers of the data set can find a lot of information about a person from just one or two records. A name or telephone number can then lead to all other known information about that person. According to the researchers, the data can easily be misused to commit identity theft.
Huge databases have been found online more often lately. These are often created by linking multiple data sources together. In January, for example, a database appeared online containing a total of more than 2.2 billion account names, including their passwords. These were merged from other major data breaches.