Researchers have stumbled upon perhaps the biggest ever personal data breach in history. It has been found that as much as four-terabyte of sensitive personal data of more than a billion people was left unsecured on a Google Cloud server. Sensitive data including phone numbers, email addresses and social media profiles was leaked, researchers Vinny Troia and Bob Diachenko said.
The anonymous rogue server on which the researchers found the data disappeared after the expose was reported to the FBI, they said. Two data enrichment companies, People Data Labs and OxyData.io, were subsequently identified as the sources for the data that got exposed on the Google server.
Who are People Data Labs (PDL)?
People Data Labs is a data aggregation company that runs legitimate businesses. The company's website says it provides work emails and social media account details of as many as one-and-half billion people around the world. It claims that it has the complete data of high-profile decision makers in the US, UK and Canada. This massive data trove is collected from various sources and sold to customers for a price. The company says it opens the path to more than 70 percent of the decision makers in the US, UK and Canada.
How was the data leaked?
People Data Labs said the mountain of data did not sit on the company's servers but on Google cloud. The company's co-founder and chief executive officer Sean Thorne told Bloomberg that not all of the exposed data came from People Data Lab. Some of the data that was exposed was being aggregated by another firm that merges various data points, he told the news agency.
"We're committed to ensuring that our bulk data dumps are not exposed ... We're extremely sensitive to this and have multiple white-hat partners who are searching the internet in an effort to find vulnerable data sets and clamp down on them before they are discovered by nefarious actors," the company said in its website.
The company says a dataset of resume, contact, social, and demographic information for over 1.5 Billion unique individuals, is delivered to the customers. "With just a few lines of code, you can begin enriching anywhere from dozens to billions of records with over 150 data points. If you don't have the time, we can deliver the data straight to you via S3, SFTP, Google Drive, Elasticsearch."
Among the massive data the company has stored and sells are more than 420 million LinkedIn URLs, more than 1 billion Facebook URLs, and IDs and more than 400 million phone numbers as well as more than 200 million US-based valid mobile phone numbers.
How alarming is the situation?
People Data Labs and OxyData.io said the server that leaked the database was not theirs. It looks like that unknown operators have combined the massive data treasure trove from both these companies and then left it exposed. The vastly unprotected and unregulated data enrichment business scene is apparently to blame, experts say.
Vinny Troia, chief executive officer of Night Lion Security, says the laked data can easily end up in the hands of cybercriminals. "This is the first time ever that I've seen emails, names and numbers linked with Facebook, Twitter, LinkedIn and Github profiles all in one spot. There are no passwords related to this data, but having a new, fresh set of passwords isn't that exciting anymore. Having all of this social media stuff in one place is a useful weapon and investigative tool," he said, according to Techradar.