Whoa Nellie. Here is the ultimate spear phishing data trove.
WIRED reported: "Earlier this month, security researcher Vinny Troia discovered that Exactis, a Palm Coast, Florida-based data broker, had exposed a database that contained close to 340 million individual records on a publicly accessible server.
"The haul comprises close to two terabytes of data that appears to include personal information on hundreds of millions of American adults, as well as millions of businesses.
"While the precise number of individuals included in the data isn't clear—and the leak doesn't seem to contain credit card information or Social Security numbers—it does go into minute detail for each individual listed, including phone numbers, home addresses, email addresses, and other highly personal characteristics for every name.
According to WIRED, the categories range from "interests and habits to the number, age, and gender of the person's children, phone numbers, addresses, dates of birth, estimated income, number of children, age and gender of children, education level, credit rating, interests" etc.
Security researcher Vinnie Troia of Night Lion Security discovered the database through a Shodan search. Exactis is a marketing data company that provides companies with the sort of information needed to target ads to people browsing the Web.
Troia told Wired, "It seems like this is a database with pretty much every US citizen in it," adding, "I don't know where the data is coming from, but it's one of the most comprehensive collections I've ever seen."
While the data did not include credit card or social security numbers, it did include everything from political preferences to browsing and purchase data for a wide variety of items. Taken together, the pieces of information would allow an advertiser or database user to form a very detailed picture of the targeted individual.
In terms of size, the Exactis leak dwarfs the Equifax breach, which exposed nearly 146 million records. Exactis has now taken the database off the public Internet, but has made no public statement on the affair. At the time of this article's publication, the company's website was down, with a request returning a 508 error.
With detailed info like that you can full automate social engineering attacks at scale. OUCH!
What is your actual social engineering attack surface?
We have something super cool for everyone, customers and non-customers both, and there is no cost.
Many of the emails addresses and identities of your organization are exposed on the Internet and easy to find for cybercriminals. With that email attack surface, they can launch social engineering, spear phishing and ransomware attacks on your organization.
Our NEW Email Exposure Check Pro goes even further to identify the at-risk users in your organization by crawling business social media information and scouring hundreds of breach databases. This is done in two stages:
First Stage: Does deep web searches to find any publicly available organizational data. This will show you what your organizational structure looks like to an attacker, which they can use to craft targeted spear phishing attacks.
Second Stage: Finds any users that have had their account information exposed in any of several hundred breaches, using Have I Been Pwned. These users are particularly at-risk because an attacker knows more about that user, up to and including their actual passwords!
Your EEC Pro Reports: We will email you back a summary report PDF of the number of exposed emails, identities and risk levels found. You will also get a link to the full detailed report of actual users found, including breach name and if a password was exposed.
This is so important that even if you already ran your one-time no-charge legacy EEC, you are eligible to try the new Pro version. Run your complimentary one-time Email Exposure Check Pro here. Results come back in a few minutes.
PS: Don't like to click on redirected buttons? Copy/Paste this in your browser: