Advanced searches left 3/3
Search only database of 8 mil and more summaries

People Data Labs Breach

Summarized by PlexPage
Last Updated: 02 July 2021

* If you want to update the article please login/register

General | Latest Info

Data sleuth extraordinaire Bob Diachenko is AT it again. His latest Discovery: collection of profiles that contain detailed information on staggering 1. 2 billion individuals. As is often the case with leaks Diachenko tracks down, this latest example was traced back to an unsecured Elasticsearch server. Information stores in databases appear to belong to two different companies, both of which operate completely legitimate data aggregation businesses. One source was People Data Labs, which bills itself as source of truth for people's data. Pdl boasts that its profiles offer unparalleled coverage across over 150 data points. The other was OxyData. Io, company that provides in - depth data on people and companies. Oxydata has aggregate data on more than 380 million people and some 14 million companies. Diachenko and his colleague Vinny Troia compared samples from expose Data to profiles provided by both PDL and OxyData. Both were nearly perfect matches. According to the Troia report, his own OxyData record seems to contain a fairly complete copy of information from his LinkedIn profile. His PDL profile was even more detailed. It even contains a 10 - year - old phone number hed been assigned as part of AT & T bundle but never actually used. Researchers contacted both companies and both claimed that servers leaking databases do not belong to them. Assuming that is true, that makes this leak even more alarming. This is the reality we face heading to 2020. Scores of legitimate companies are harvesting data about the US from sources all over the Internet. They combine that data to form incredibly detailed profiles of the US and then sell or share those profiles with other companies. Data flows like water. And it keeps getting spill. At 1. 2 billion records, Troia notes that this is one of largest leaks weve ever witness. We may never learn who it was that compiled both companies ' data into single database and then left it expose. Even if we do, Troia notes that there may be very little that could be done. Data enrichment companies are still largely unregulated and legal protections for our personal data are sadly lacking. Until that changes, best we can do is change email addresses and phone numbers. And perhaps create new Facebook, Twitter or LinkedIn accounts from scratch. When it feels like your data will just get leaked again, though. Many victims might wonder why they should even go through trouble.

* Please keep in mind that all text is machine-generated, we do not bear any responsibility, and you should always get advice from professionals before taking any actions.

* Please keep in mind that all text is machine-generated, we do not bear any responsibility, and you should always get advice from professionals before taking any actions

How Does Data Enrichment Work?

For a very low price, Data enrichment companies allow you to take a single piece of information on a person, and expand that user profile to include hundreds of additional new data points of information. As seen with Exactis Data breach, collecting information on a single person can include information such as household sizes, finances and income, political and religious preferences, and even people prefer social activities. Each time a company chooses to enrich user profile, they also agree to provide what they know about person to enrich the organization. Despite efforts from social media organizations like Facebook, resulting data continues to be compound, creating a situation with no oversight that ultimately allows all people's social and personal information to be easily downloaded

* Please keep in mind that all text is machine-generated, we do not bear any responsibility, and you should always get advice from professionals before taking any actions.

* Please keep in mind that all text is machine-generated, we do not bear any responsibility, and you should always get advice from professionals before taking any actions

The Open Elasticsearch Server

Troia and Diachenko came across Elasticsearch server while looking for exposures on Web scanning Services BinaryEdge and Shodan. Upon further investigation, researchers speculate that data originates from two different data enrichment companies: People Data Labs and OxyData. Io. Data enrichment, as the name suggest, is a process of enhancing existing raw data to make it useful for businesses. Data enrichment companies can provide access to large stores of data merged from multiple third - party sources, which enables businesses to gain deeper insights into their current and potential customers. Elasticsearch stores its data in an index, which is similar to database in relational database.S Researchers find that the majority of data spans four separate data indexes, labelled PDL and OXY. Also, each user record was labelled with a source field that matched either PDL or OXY, respectively. After researchers de - duplicate nearly 3 billion user records with PDL index, they found roughly 1. 2 billion unique people and 650 million unique email addresses. These numbers match with statistics provided by companies on their website.S Data within three PDL indexes includes slightly vary information. While some focus on scraped LinkedIn information, email addresses and phone numbers, others include information on individual Social media profiles such as people's Facebook, Twitter, and GitHub URLs. After analyzing data under the OXY index, researchers found a scrape of LinkedIn data, including recruiter information. What made the case confusing was that the Elasticsearch server was hosted on Google Cloud Services, while People Data Labs appeared to be using Amazon Web Services. When contacted about Elasticsearch server, both companies deny that server belongs to them. In an interview with WIRED, PDL co - founder Sean Thorne say, owner of this server likely uses one of our enrichment products, along with a number of other Data - enrichment or licensing services. Once a customer receives data from the US, or any other data providers, data is on their servers and security is their responsibility. We perform free security audits, consultations, and workshops with the majority of our customers. This news sparked discussion on Hacker News. While some users were stunned by the sheer negligence of leaving Elasticsearch server wide - open, others were questioning the core business model of these companies. User comment, It has to exist on a private network behind a firewall with ports open to application servers and other ES nodes only. Running things on a public IP address is a choice that should not be taken lightly. Clustering over the public Internet is not thing with Elasticsearch. It tragedy that all of this data was available to anyone in public database instead of. Checks are available to anyone who is willing to sign up for a free account that allows them 1 000 queries. It seems like PDLs core business model is irresponsible regarding their stewardship of data theyve harvest, another user add. Read the full report on Data Vipers ' official website.

* Please keep in mind that all text is machine-generated, we do not bear any responsibility, and you should always get advice from professionals before taking any actions.

* Please keep in mind that all text is machine-generated, we do not bear any responsibility, and you should always get advice from professionals before taking any actions

Data Broker Sources

No one knows who owns Google Cloud drive that expose 1. 2 Billion user Records, seemingly merged from Data - brokers like People Data Labs and OxyData, who may have simply sold data to customers that perform merge operation and then stick resulting files on an unprotected Server, which was discovered in October by researcher Vinny Troia using BinaryEdge and Shodan. Data merges home and cell numbers, Social media profiles, work histories and email addresses; As Troia say, this is the first time I 've seen all these Social media profiles collected and merged with user profile information into a single database on this scale. From the perspective of the attacker, if the goal is to impersonate people or hijack their accounts, you have names, phone numbers, and associate account URLs. That's lot of information in one place to get you start. Brokers don't think they were breach. Pdl founder Sean Thorne hypothesizes that some of the data his company nonconsensually gathers on 1. 5 Billion people were sold to normal customers who mishandled it and that is their responsibility. Oxydata exec Martynas Simanauskas says that while his company sells its nonconsensual dossiers on terms that require its customers to manage data conservatively, there is no way for the US to enforce all of our clients to follow best Data Protection practices and guidelines. They are totally right about one thing: once you gather and sell this data, you can't control it. It's pluripotent, omnitoxic, and immortal. It's nuclear waste. Thing they are wrong about is the wisdom of selling that pluripotent, omnitoxic, immortal toxic waste, given that they can't control it. The fact that they cheerfully admit that there's no way for them to ensure that nonconsensual dossiers they 've assembled won't be weaponize against their subjects means that it is incredibly reckless, even sociopathic, for these private profiteers to be in business that they re in in. When we compose threat models for privacy breaches, we often assume that the adversary is someone rational: supervillain with a long - term plan for committing their crimes and then getting away from them. But time and again, we see actors behind privacy breaches are petty dum - dums, short - term - thinking idiots who literally can't be bothered to password protect their Google Cloud accounts. You can deal with rational villains with deterrence. But short - term, impulsive idiots are not deterrable. They re like crackheads stealing motorcycle sparkplugs, unpredictable, irrational, and, basically, unstoppable. 1. 2 Billion Records Exposed Online on Single Server

* Please keep in mind that all text is machine-generated, we do not bear any responsibility, and you should always get advice from professionals before taking any actions.

* Please keep in mind that all text is machine-generated, we do not bear any responsibility, and you should always get advice from professionals before taking any actions

Liability and Privacy Concerns

The California Consumer Privacy Act became effective on Jan. 1. Include among its provisions is grant of private right of action on behalf of any consumer whose nonencrypted and nonredacted Personal Information is subject to unauthorized access and exfiltration, theft or disclosure as result of business violation of duty to implement and maintain reasonable Security procedures and practices. Civil Code Section 1798. 150. An interesting question is whether a company may face liability under this statute where one of its vendors or third - party contractors to whom it has entrust Personal Information of its customers or clients suffers Data Breach. The possibility for liability in such a scenario was addrest in a recent case from Delaware. In Eugenia v. Laboratory Corporation of America Holdings, CA No. 2020 - 0305 - PAF, filed in Delaware Chancery Court on April 28, plaintiffs assert derivative claims action against LabCorps directors and officers arising from Data Breach suffered by American Medical Collection Agency, third - party vendor whom LabCorp had engaged to collect patient receivables for Medical Labs. Plaintiffs allege that as result of Breach, 10. 2 million LabCorp patients had their Personal Information compromise. Plaintiffs allege that company officers and directors had Breach their fiduciary duties by, among other things, providing patients ' personal and health information to third - party contractors that failed to use adequate cybersecurity safeguards. Plaintiffs ' liability claims in that case were buttressed by the fact that AMCA was allegedly a business associate of LabCorp under the Health Insurance Portability and Accountability Act. As such, LabCorp had an obligation to ensure that AMCA had appropriate safeguards in place to protect the privacy of information. But even apart from particular obligations arising under HIPPA, this case raises the question of whether, under CCPA, companies may be subject to liability if their vendors or third - party contractors to whom they have entrust Confidential Information suffer Data Breach. In broad terms, plaintiffs in Eugenia allege that where company entrust private data to others, company has an obligation to scrutinize and monitor cybersecurity practices of their contractors and vendors with whom they do business. In this regard, it may be important for Insurance coverage purposes under CGL policy whether Data Breach has been suffered by the insured company itself or contractor or vendor of insured. This is because of the publication requirements in personal and advertising injury coverage that is afforded under most CGL policies. In this regard, most CGL policies offer coverage for personal and advertising injury, which is often referred to as Coverage B. This form of coverage is triggered by certain enumerated offenses, typically including injury arising out of oral or written publication, in any manner, of material that violates persons right of privacy. As dissemination of one personal information without consent violates persons right of privacy, several cases have addrest whether liability claims arising from data breaches may be covered under CGL policys Personal and advertising injury Coverage.


What is a Data Breach?

Some of the biggest data breaches recorded in history were from 2005 or later. Once governments and businesses move from paper to digital, data breaches become more commonplace. In 2005 alone, there were 136 data breaches Report by Privacy Rights Clearinghouse and more than 4 500 data breaches have been made public since then. However, it is fair to believe the actual number of data breaches is likely higher since some of the data breaches that Privacy Rights Clearinghouse reports on have unknown numbers of compromised records. 2014 Verizon Data Breach Investigation alone Report on 2 100 data breaches where 700 million records were expose. Below we have provided a list of Data Breach statistics that lead up to and launch age of Data infiltration. The first computer virus, known as Creeper, was discovered in the early 1970s. In 2005, Privacy Rights Clearinghouse began its chronology of data breaches. 2005 was the year the First Data Breach exposed more than 1 million records. The largest insider attack occurred from 1976 to 2006 when Greg Chung of Boeing stole $2 billion worth of aerospace documents and gave them to China. Aol was the first victim of phishing attacks in 1996. As of 2015, 25% of global data requires security but was not protect. In 2017, one of three major US credit reporting agencies, Equifax, exposed 145. 5 million accounts including names, Social Security numbers, dates of birth, addresses, and, in some cases, drivers license numbers of American consumers. Social media data breaches accounted for 56% of data breaches in the first half of 2018. Over the past 10 years, there have been 300 data breaches involving theft of 100 000 or more records. The United States saw 1 244 data breaches in 2018 and had 446. 5 million exposed records. Data breaches exposed 4. 1 billion records in the first six months of 2019. As of 2019, cyber - attacks are considered among the top five risks to global stability.

* Please keep in mind that all text is machine-generated, we do not bear any responsibility, and you should always get advice from professionals before taking any actions.

* Please keep in mind that all text is machine-generated, we do not bear any responsibility, and you should always get advice from professionals before taking any actions

Elasticsearch servers and personal data

The best way to ensure that that personal data handled by your company is secure is to keep comprehensive controls on it. This way, you can know where it is AT all times. Panda Data Control is a module of Panda Adaptive Defense created specifically to stop access, modification and exfiltration of data store by your company. It audits and discovers all unstructured personal data on all endpoints. This way, not only will you know what data you have and where you have it, but you also know if someone is accessing it or trying to modify it. This data breach is one of the largest in history, but it will not be the last. Make sure your company isnt next to suffer data breach with Panda Data Control.

* Please keep in mind that all text is machine-generated, we do not bear any responsibility, and you should always get advice from professionals before taking any actions.

* Please keep in mind that all text is machine-generated, we do not bear any responsibility, and you should always get advice from professionals before taking any actions

The dangers of leaked data

2 billion records of personal data have leaked online in a massive security breach. Leak data contains email IDs, employers, Social media profiles, phone numbers, names, job titles and even geographic locations. Discover by Security researchers Vinny Troia and Bob Diachenko, expose data came with an index which suggests it was essentially source from a data enrichment company called People Data Labs. Unprotected Elasticsearch servers contain as many as 622 million unique email addresses, researchers add. The server was not owned by PDL and it's believed the customer failed to properly secure the database. Expose information includes email addresses, phone numbers, Social media profiles and job history data, READ email notifications from Have I been pwned. Interestingly enough, there's very little information about PDL, which claims to build People Data. According to its LinkedIn profile, San Francisco - based company has a dataset of 1. 5 billion unique person profiles which can be used to build products, enrich person profiles, power predictive modeling / AI, analysis, and more. Also READ: WhatsApp vulnerabilities that put users ' data at risk while leaking information may seem general in nature, These can be very well exploited by cybercriminals to launch phishing attacks, spam and even sell them on the dark web. Also WATCH: Spyware attack on Indians via WhatsApp? | The Pegasus controversy explains regardless of how well these data enrichment companies secure their own system, once they pass data downstream to customers, it's completely out of their control. My data - almost certainly your data too - is replicate, mishandled and exposed and there's absolutely nothing we can do about it. Well, almost nothing., Said Security researcher Troy Hunt in a blog post. Also READ: Google's Password Checkup to become default feature on Chrome browser recurring theme I 'm finding with exposing data of this nature is increasing outrage that data aggregators obtain and use personal information in a fashion the owner of data didn't consent to. It's not about how public data might be through channels people choose to publish it, rather it's about use of data outside its intended context, he add.

* Please keep in mind that all text is machine-generated, we do not bear any responsibility, and you should always get advice from professionals before taking any actions.

* Please keep in mind that all text is machine-generated, we do not bear any responsibility, and you should always get advice from professionals before taking any actions

12/3/2019 Initial Info:

For well over a decade, identity thieves, phishers, and other online scammers have created a black market of stealing and aggregating consumer data that they use to break into people's accounts, steal their money, or impersonate them. In October, dark web researcher Vinny Troia found one such trove sitting exposed and easily accessible on an unsecured server, comprising 4 terabytes of personal informationabout 1. 2 Billion records in all. While the collection is impressive for its sheer volume, data doesn't include sensitive information like passwords, credit card numbers, or Social Security numbers. It does, though, contain profiles of hundreds of millions of people that include home and cell phone numbers, associated Social media profiles like Facebook, Twitter, LinkedIn, and Github, work histories seemingly scrapped from LinkedIn, almost 50 million unique phone numbers, and 622 million unique Email addresses. It bad that someone had this whole thing wide open, Troia say. This is the first time I 've seen all these social media profiles collected and merged with user profile information into a single database on this scale. From the perspective of the attacker, if the goal is to impersonate people or hijack their accounts, you have names, phone numbers, and associate account URLs. That's lot of information in one place to get you start. Troia found the server while looking for exposures with fellow Security researcher Bob Diachenko on web scanning services BinaryEdge and Shodan. The IP address for the server was simply traced to Google Cloud Services, so Troia doesn't know who amass data store there. He also has no way of knowing if anyone else found and download data before he does, but notes that the server was easy to find and access. Wire checked six people's personal email addresses against a data set; four were there and returned accurate profiles. Troia reported exposure to contacts at Federal Bureau of Investigation. Within a few hours, he say, someone pulled server and expose data offline. The FBI declined to comment for this story. The data Troia discovered seems to be four data sets cobbled together. Three were label, perhaps by the server owner, as coming from a data broker based in San Francisco called People Data Labs. Pdl claims on its website to have data on over 1. 5 Billion People for sale, including almost 260 million in the US. It also touts more than a Billion personal email addresses, more than 420 million LinkedIn URLs, more than a Billion Facebook URLs and IDs, and more than 400 million phone numbers, including more than 200 million valid US cellphone numbers. Pdl cofounder Sean Thorne says that his company doesn't own servers that host exposed data, assessment Troia agrees with based on his limited visibility. It's also unclear how records got there in the first place. The owner of this server likely uses one of our Enrichment products, along with a number of other Data - Enrichment or licensing services, says Sean Thorne, cofounder of People Data Labs.

* Please keep in mind that all text is machine-generated, we do not bear any responsibility, and you should always get advice from professionals before taking any actions.

* Please keep in mind that all text is machine-generated, we do not bear any responsibility, and you should always get advice from professionals before taking any actions

Leak a big deal

While the leak lacks the sort of personal information - such as passwords or credit card details - that would render it valuable to cyber criminals, fact that it exposes email addresses, phone numbers and social media profiles is still a big deal, according to CyberArks senior vice - president of EMEA, Rich Turner. Make phishing expedition or attempt to otherwise find, profile and compromise high - value targets - individuals or organisations - that much easier, he say. The vast amount of data in repository contains enough intelligence and detail to launch a well - targeted campaign which would allow motivated groups or individuals to obtain access, credentials and other highly valuable information. Over the years, hundreds of billions of online accounts have been expose, meaning that personal information on every human on the face of earth has been stolen 20 times or more, says Cybereason chief security officer Sam Curry. This latest exposure is like astronomy: billions and billions cease to be personal or mean anything. In reality, this data breach is a stark reminder that consumers need to rethink their own security hygiene. Today, everyone should assume their private information has been stolen numerous times and will continue to be accessible to a growing number of threat actors.

* Please keep in mind that all text is machine-generated, we do not bear any responsibility, and you should always get advice from professionals before taking any actions.

* Please keep in mind that all text is machine-generated, we do not bear any responsibility, and you should always get advice from professionals before taking any actions

How alarming is the situation?

There are obvious risks of identity theft and account takeover, but the combination of information exposed as result of this third party data breach could lead to some particularly worrying phishing attacks. As Cathy Allen, CEO of Shared Assessments, points out: this is alarming as IT shows adversaries are attacking healthcare, insurance and financial information in one hack. Even though test results are not accessible, just the types of tests proscribed might indicate the type of illness that you would not want employers or insurance companies to have. Thieves often steal and resell insurance date on the internet. Having other information makes data more valuable and prices higher. We know that Quests lab results were not leak, but we also know that medical information was leak. Reasonable inference is that this consists of medical coding attached to bills, which could potentially be tracked back to conditions and diagnoses. Even without codes, uniform billing amounts could be tracked back to specific tests and procedures. If that is indeed what Medical Data mentioned in the AMCAs statement consists of, its powerful tool for phishers in conjunction with financial and personal information that this third party data breach makes available. Phishers and scammers could easily pose as targets physicians or insurance company, citing private medical details to inspire confidence. Blackmail is also a possibility if public figures were among victims of this breach. This third party data breach will seem particularly unfair to some, as many of Quests customers exposed in this mishap were not patrons by choice. They may have been forcibly exposed to company by court order, under duress from employer, or as part of what they believe to be a private and safe screening process.

* Please keep in mind that all text is machine-generated, we do not bear any responsibility, and you should always get advice from professionals before taking any actions.

* Please keep in mind that all text is machine-generated, we do not bear any responsibility, and you should always get advice from professionals before taking any actions

Sources

* Please keep in mind that all text is machine-generated, we do not bear any responsibility, and you should always get advice from professionals before taking any actions.

* Please keep in mind that all text is machine-generated, we do not bear any responsibility, and you should always get advice from professionals before taking any actions

logo

Plex.page is an Online Knowledge, where all the summaries are written by a machine. We aim to collect all the knowledge the World Wide Web has to offer.

Partners:
Nvidia inception logo

© All rights reserved
2021 made by Algoritmi Vision Inc.

If you believe that any of the summaries on our website lead to misinformation, don't hesitate to contact us. We will immediately review it and remove the summaries if necessary.

If your domain is listed as one of the sources on any summary, you can consider participating in the "Online Knowledge" program, if you want to proceed, please follow these instructions to apply.
However, if you still want us to remove all links leading to your domain from Plex.page and never use your website as a source, please follow these instructions.