Exactis leak exposes 340 million personal records: Phone numbers, home addresses and religious beliefs were publicly accessible

“Exactis might be fueled by data, but its recent blunder is a warning that any database without firewall protection is susceptible to leaks,” Katrina Filippidis reports for Engadget. “The data aggregation company recently exposed over 300 million personal records — statistically speaking, that’s enough to cover the entire US population.”

“The leak was first discovered by Vinny Troia, a security researcher and founder of Night Lion Security. On a routine investigation using Shodan — a search engine that allows users to identify internet-connected devices — he looked up databases on open servers, and eventually stumbled upon the Exactis database, which, rather curiously, lacked any kind of firewall,” Filippidis reports. “He found a 2TB data bank that stored nearly 340 million individual records, completely exposed to anyone acquainted well enough with cyber security.”

“Sensitive data including personal interests, home and email addresses, religious beliefs, smoking status, phone numbers, and even the number, age and sex of a family’s children — were all visible,” Filippidis reports. “Unlike Equifax, or the colossal Yahoo breach, there’s currently no evidence to suggest hackers obtained any of Exactis’ data and used it with malicious intent.”

Read more in the full article here.

“‘It seems like this is a database with pretty much every US citizen in it,’ says Troia, who is the founder of his own New York-based security company, Night Lion Security. Troia notes that almost every person he’s searched for in the database, he’s found,” Andy Greenberg reports for Wired. “And when WIRED asked him to find records for a list of 10 specific people in the database, he very quickly found six of them. ‘I don’t know where the data is coming from, but it’s one of the most comprehensive collections I’ve ever seen,’ he says.”

“Troia contacted both Exactis and the FBI about his discovery last week, and he says the company has since protected the data so that it’s no longer accessible,” Greenberg reports. “While the lack of financial information or Social Security numbers means the database isn’t a straightforward tool for identity theft, the depth of personal info nonetheless could help scammers with other forms of social engineering, says Marc Rotenberg, executive director of the nonprofit Electronic Privacy Information Center.”

Read more in the full article here.

MacDailyNews Take: Would that the levels of security and privacy that Apple delivers were matched by companies that are in possession of pretty much everything needed to steal someone’s identity and basically ruin their lives. All of the information that people like us choose Apple products in order to protect can be pissed away in one fell swoop by braindead outfits like Exactis. Looks like we could have used some random porous Windows PCs and Android phones for all that privacy and security matters to shit outfits like Exactis.

Guard your privacy as best you can, but, hey, keep sending your DNA to random companies to do with whatever they like, m’kay? (dripping sarcasm)

Equifax’s latest breach is very possibly the worst leak of personal info ever – September 8, 2017
Beleaguered Yahoo faces U.S. SEC probe over data breaches – January 23, 2017
Yahoo confirms data breach of at least 500 million user accounts – September 22, 2016
1.16 million more reasons why Apple Pay is the future: Staples’ security breach payment card debacle – December 20, 2014
Judge rules banks can sue Target over credit card breach; Apple Pay value proposition intensifies – December 8, 2014
Massive data breach: Target’s Windows-based PoS terminals were infected with malware – January 13, 2014


  1. When are we going to get a law that allows lawsuits or mandatory fines for companies that put up citizen’s data that have no clear security to prevent citizen’s data theft?

    Come on, let’s get real. Theft of valuable assets is THEFT.

    If a bank did not lock ALL of its doors and failed to turn on the alarm systems at night, the bank would be liable for the theft of its depositors cash and safety deposit boxes.

      1. “Some say”….

        This would include liars with a political axe to grind.

        Until the current Attorney General, the official census was interested in simply counting how many people lived where, for obvious administrative purposes. When you are interested in managing infrastructure, you normally don’t care at what stage of immigration a person with a funny name and accent might be. For 200 years, the laws of the USA downright encouraged any and all immigrants, letting assimilation take place and law enforcement judge people by their actions. Only in the last few years has populist rhetoric pushed for every government agency to become a militarized deportation mechanism — with Patriot Act expenses and creepy spy games only growing more pervasive by the year.

        Now some people are so paranoid they think the country is too full (it isn’t), too scary (violent crimes are at historic lows, even less than the 1968 “Summer of Love”). They demand BOTH unlimited personal armaments AND historic high levels of government intervention into everyone’s private business. Under the guise of security, Big Brother functions in the federal government are growing, the president providing cover for the bloated military industrial complex by whipping extremists into a frenzy about overblown fears of terroists and rapists overrunning what, by inference, he must think are a bunch of helpless pansies.

        The present administration thinks it can judge character by religion or national birthplace. Hence all the lies about mixed race Obama being born abroad. It proved that xenophobic propaganda is alive and working in what used to be a free country.

        Of course anyone can jump up and down screaming about the need to brutally and literally enforce all laws. These same people can be found breaking laws every day. These same people claim the government is ineffective inefficient evil and always in the way, yet they demand taxpayers dump neverending billions into useless border and immigration policies, like the stupid child abuse stuff and shitloads of military toys for rangers who occasionally pick up a dehydrated desperate runaway in the desert. HOW ABOUT FIXING THE LAWS? A goddamn great wall of china is the biggest waste of resources imaginable, as is housing asylum seekers on your dime and mine. You and I aren’t safer when we deny “illegals” basic internationally recognized human rights. We are literally creating rhe propaganda videos for the next crazy terrorist. By the way, since 2001, the only mass terror events have been done by the hands of crazy American citizens. If we want to actually have better public safety, let’s put efforts where it will do measueable good.

        Here’s my proposal: Border Automation

        At the border turnstile, foreign applicants for entry can insert their foreign issued ID card, get fingerprints and retinal scan, upload their resume/diplomas/etc, name their legal USA contacts or show their acceptance letters for college or future employers, insert $10,000 for processing, and be admitted or rejected in minutes. We have the tech to do this. Who needs a goddamned concrete eyesore looping the country?

        Simple. No need for drones, body armor, prisons, automatic weapons, humvees, and the rest of the crap we pay for today. ICE can be called anytime a criminal is detained and deportations can happen then without you and me paying to lock up innocent poor people stuck in a stupid immigration system.

        If you are truly that paranoid about brown skinned people beyond what reasonable border tracking and domestic law enforcement already exists, including the entire northern US border, you and Trump should both seek professional help.

  2. There should be strict repercussions for this type of transgression – especially in this new digital world. Between this leak and Equifax, no one has any semblance of having even the slightest privacy to the point where nefarious persons can wholly pretend to be you and even name your childhood pet’s name.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.