The rich profiles of more than 1.2 billion people to the open internet has been disclosed by an open Elasticsearch server.
The database was initially discovered on October 16 by researchers Bob Diachenko and Vinny Troia.
The data comprises threadbare information from social media platforms like Facebook and LinkedIn, combined with other credentials like names, personal and work email addresses, phone numbers.
The profiles offer a complete view of people, including their employment and education histories. All of the information was insecure, with no login required to access it.
“it is a comprehensive dataset collected from B2B [business-to-business] lead-generation companies’ lists,” Diachenko told Threatpost via Twitter.
If accessed by hackers, the data, which contains a slew of related accounts tied to each individual, could be used for very effective, targeted phishing attacks, business email compromises and identity theft, among other things.
Read Article: What you need to know about Data Breach
“Information like this is extremely useful to criminals as a starting point in hacking a number of related accounts and also lends itself the potential for increased credential stuffing attacks,” Carl Wearn, head of e-crime at Mimecast, said via email. “This information obviously also provides a fantastic treasure trove of information for the means of industrial, political and state-related espionage and there are multiple malicious uses for the data leaked from this breach.”
“Data breaches that expose information such as phone numbers to personal accounts like email or social accounts are just as serious as ones that expose payment information,” Zack Allen, director of threat operations at ZeroFOX, told Threatpost. “Luckily for payment information, you can change your credit card, or your password to your accounts. But what can victims of this breach do when their phone number and Facebook profile is leaked? Changing your phone number can cost money with your carrier, you also have to update all of your contacts with your new phone number, plus all of your two-factor accounts.”