[BreachExchange] Almost 9, 5 Million PII Records Leaked by Data Aggregator Adapt

Inga Goddijn inga at riskbasedsecurity.com
Fri Nov 23 15:08:32 EST 2018


https://news.softpedia.com/news/almost-9-5-million-pii-records-leaked-by-data-aggregator-adapt-523931.shtml

*A publicly available and unprotected MongoDB database found by security
researcher Bog Diachenko exposed 9,376,173 records of
personally identifiable data collected by the Adapt.io data aggregator.*

As detailed by Diachenko
<https://blog.hackenproof.com/industry-news/another-decision-makers-database-leaked/>,
the wide open 123 GB database was directly accessible by anyone with a
MongoDB ID, an Internet connection, and the knowledge needed to find the
exposed server.

The database records contained a wide range of information from
individuals' full names, company name and description, the company's size
and revenue to phone numbers, company domain, and the total number of
contacts for the company and emails for each of the contacts.

"While the data itself might be non-sensitive, the availability of it
online without any authentication is not something you would expect," said
Diachenko. "The lawfulness of web scraping as a method of gathering data is
debated, but open access to private data is definitely illegal."

Moreover, companies found to break EU's General Data Protection Regulation
(GDPR) are subject to fines of up to €20 million or 4% of their annual
worldwide turnover, whichever is greater.

Although this should be incentive enough even for companies with multiple
billions as annual turnovers, there still are enough organizations which
don't take data protection as seriously as they should.
Adapt did not provide any response to Diachenko's contact attempts

Diachenko's analysis of the leaked data led to a data aggregation service
named Adapt.io which, according to its own website's description, "provides
access to millions of business contacts. Adapt’s free tools help you enrich
business profiles on any website with email, phone and a number of
contacts.”

Despite at least one Adapt.io representative being contacted by Diachenko
as part of a responsible disclosure procedure, the data aggregation service
did not provide any response or explanation of why the 123 GB MongoDB
containing 9.3M records of PII data was left unprotected and publicly
accessible.

Until further details are provided by Adapt.io, there is no info regarding
the reasons behind their massive database of employee records being made
publicly available.

Bob Diachenko found another 200 GB-sized public customer record database
<https://news.softpedia.com/news/veeam-leaked-over-445-million-records-via-exposed-database-522644.shtml>
on September 5th, owned by the data recovery and backup company Veeam who
forgot to secure its data and exposed 445 million records related to an
automated marketing campaign using Marketo.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20181123/b082783f/attachment.html>


More information about the BreachExchange mailing list