Data breaches have become routine, although each new reported incident seems to more seriously affect a larger number of users. Data protection specialists say that, most of the time, the compromised data ends up in the hands of marketing companies and even threat actors in dark web.
There are currently dozens of companies dedicated to collecting huge amounts of data from social media profiles, online forums or job networks; this is a security issue, as many of these companies do not have the right information protection implementations, being prone to data breaches.
Bob Diachenko, a data protection expert primarily dedicated to the search and reporting of databases exposed on the Internet, in collaboration with researcher Vinny Troia, revealed the discovery of more than one billion records exposed in an Elasticsearch implementation. As the researchers report, the exposed records come from two different data collection companies (known as “data brokers”).
The first of these companies, People Data Labs, based in California, has not been able to demonstrate that it has the express consent of individuals for the commercial use of their information. In total, the company exposed 622 million email addresses, about 50 million phone numbers and profiles of people developed from the search for information on platforms such as Facebook, LinkedIn, Twitter, among others. There are apparently no duplicate elements, so each record is unique.
Data protection specialists know this type of collection as “data enrichment” and it consists of searching for a user’s personal information from a single data (such as full name, username on some online platform, workplace, etc.); data brokers then profile each user to offer them to marketing companies.
In total, the researchers found four data indexes, three of which belonged to People Data Labs. These three indexes covered details of more than one billion people, including email addresses and other contact details.
On the other hand, the fourth index belongs to OxyData.io, and appears to hold information collected only from LinkedIn. The two companies have already contacted the researchers, claiming that none of the databases were exposed by malicious users.
Carl Wearn, head of e-crime research at security firm Mimecast, said: “These data are not only useful for digital marketing companies, but cybercriminals also use these resources to deploy phishing campaigns, credential stuffing, among other attack variants.”
The picture is certainly complex and data brokers prefer not to make major changes to their practices to provide better protections to users, so data protection specialists from the International Institute of Cyber Security (IICS) legislators and authorities in each country consider that limits are set, both on social media platforms and data collection companies, to prevent these kinds of personal details from being exposed to the reach of anyone.