Absolutely humongous data breach exposes more than a billion records
Well, this is certainly not great: An unprotected database of more than a billion users' records from across the internet — including "social media accounts, email addresses, and phone numbers" — was discovered on an unidentified Elasticsearch server that could be accessed by anyone with the server's web address.
What's even weirder is, according to Bloomberg, no one is exactly sure how it got there.
The discovery was made in October by cybersecurity experts Bob Diachenko and Vinny Troia; the 4 terabytes of data they found also included Facebook, Twitter, and LinkedIn profile information. All told, the server contained information on four billion user accounts and 650 million unique email addresses, affecting 1.2 billion people.
As WIRED points out, though, it's important to keep in mind what the data does not include: things like passwords and credit card numbers. So at least there's that! Troia also told WIRED that the server is no longer online and that he reported its presence to the FBI.
While it's unknown how the data got to be on this server, there are a few things Troia was able to uncover. First, it seems like the data came from multiple datasets, some of it from data broker People Data Labs (PDL), which provides "data enrichment." (TL;DR: It provides data points on internet users so brands can create more specific content with which to target these users.)
Second, the server the information was found on did not belong to PDL. Troia reports that PDL "appears to use Amazon Web Services" for their servers, while the mystery data-laden server was residing — again, unprotected — on Google's Cloud Services. Neither the server or the data were controlled by Google.
[...] Troia and Sean Thorne, co-founder of People Data Labs (PDL), both indicated to WIRED that the data probably wasn't obtained via a breach of PDL, but may have been obtained legitimately by a customer who bought the data for data enrichment purposes and left it unprotected.
Said Thorne, "The owner of this server likely used one of our enrichment products, along with a number of other data enrichment or licensing services. Once a customer receives data from us, or any other data providers, the data is on their servers and the security is their responsibility."
[...] The scariest thing, as Troia points out, is that if this really is just gross mismanagement of legitimately obtained data, there's little to be done in terms of holding anyone accountable for the breach.
(Score: 5, Insightful) by Runaway1956 on Saturday November 23 2019, @06:50AM (2 children)
https://www.worldometers.info/world-population/ [worldometers.info]
The world meter thingy says there are 7.7 billion human on the earth. So, four billion accounts? That's more than half the earth's population. It's probably safe to say that you are affected, directly, or indirectly, by this breach.
But, oh, wait!! TFS says it only affects 1.2 billion people? Sooooo . . . . how do we account for all those other accounts? Well, that may not be terribly difficult - we do have a bot account right here on SN.
Well, there's the problem. We have companies like PDL that aggregate all that data - for profit. That is, PDL is exploiting you, me, and every other user of the internet, for their own profit. Not just PDL, but dozens, hundreds, maybe thousands of other companies.
Maybe PDL isn't clearly "at fault" here, but they do share in the blame. They share in the basic lack of respect for privacy that has infested the internet, and the world at large.
(Score: -1, Flamebait) by Anonymous Coward on Saturday November 23 2019, @11:07AM
One Billion Runaways, screaming out into cyberspace, where no one can hear you, but they might be able to find a photo [gstatic.com].
(Score: 1, Informative) by Anonymous Coward on Saturday November 23 2019, @06:24PM
4 billion accounts / 1.2 billion users = average of 3 & 1/3 accounts per person.
Assumption -- most of the people compromised had accounts at Facebook, Twitter, and LinkedIn and some also had another account or two...
I wonder how old the data is? I closed my LinkedIn after the MS buyout, but MS probably still has the minimal info I supplied.