[BreachExchange] Mysterious data breach called 'db8151dd' exposed email, physical address and job titles of 22 MILLION people - but no one knows exactly where the records came from

Destry Winant destry at riskbasedsecurity.com
Mon May 18 10:23:00 EDT 2020


https://www.dailymail.co.uk/sciencetech/article-8324759/Mysterious-data-breach-called-db8151dd-exposed-email-physical-address-job-titles-22M-people.html

The personal data on tens of millions of people was been exposed in a
data breach without a discernible source, according to an Australian
security expert.

Researcher Troy Hunt says the breach, dubbed 'db8151dd' - which was
disclosed to him in February - exposed the private information of more
than 22 million people whose data was stored on a publicly accessible
server.

Among the information, Hunt details in a new blog post, are email
addresses, phone numbers, physical addresses, full names, job titles
and social media profiles.

Researcher and security expert Troy Hunt says that the database still
doesn't have a determinable owner despite multiple months of research
(stock)

Despite the discovery of the data set, neither Hunt nor the security
service, Dehashed, which came to Hunt with the data, have been able to
determine exactly who owned the server and what sources information
was harvested from.

Though much of the data contained in the database could have been
scraped from sources like Facebook or LinkedIn, Hunt said his research
ruled out that banal origin given some of the contents - for example,
Hunt's own phone number - and the fact that information was seemingly
associated by owners' recent contacts.

'...my record was immediately next to someone else I've interacted
with in the past as though the data source understood the
association,' Hunt wrote in a post.

'I found that highly unusual as it wasn't someone I'd expect to see a
strong association with and I couldn't see any other similar folks.'

Facebook buys major GIF-making site Giphy for $400 MILLION...Melting
glacier in Alaska could trigger a catastrophic...MIT researchers
develop wireless system that measures use...Why 'The Scream' is
FADING: Radiation analysis shows...

Given that peer association Hunt hypothesized that it's possible that
the data was aggregated by a Customer Relationship Management system,
but added that the source was still just a guess.

'But nowhere - absolutely nowhere - was there any indication of where
the data had originated from,' Hunt wrote.

Despite failing to uncover the sources of the breach, Hunt entered the
information into the HaveIBeenPwned database, a resource that allows
people to search whether their email addresses have been linked to a
hack or similar compromise.

As far as safeguarding against breaches like this goes, Hunt writes
that he's also at a loss:

'There's nothing you nor I can do about it beyond being more conscious
than ever about just how far our personal information spreads without
our consent and indeed, without our knowledge. And, perhaps most
alarmingly, this is far from the last time I'll be writing a blog post
like this,' he wrote in a post.


More information about the BreachExchange mailing list