A depressingly regular part of being online in 2017 is having some of your personal information leaked to the internet. Enter your email into security-researcher Tory Hunt’s Have I Been Pwned site, which tracks major hacks and database leaks, and see how many times your own info has been left out in the open.
Luckily, these leaks have (relatively) little information about you, usually a combination of your username and maybe an encrypted form of your password, with occasionally more concerning information like your security questions.
Not that this is great! If you don’t use password managers (and you should), it means you’ll need to change up your passwords not only on the sites affected but also on any other site where you used the same password.
Then there are more disturbing cases, like the recent CloudPets leak, in which a database for an internet-connected plush toy potentially allowed malicious users to discover over 2 million voice recordings between parents and their children.
But researcher Troy Hunt recently was recently sent a 52.2 GB CSV file with much more detailed information on over 33 million people. Here, for example, is just a partial excerpt of some of the data from Zack Whittaker, a journalist at ZDNet, who allowed Hunt to publish his information:
netprospex contact id”: “177496766”
“first name”: “Zack”
“last name”: “Whittaker”
“job title”: “Writer Editor”
“contact phone 1”: “(415) 344-2000”
“contact phone 2”: “(415) 344-2000”
“primary job function”: “Marketing”
“all job functions”: “Creative”
“company name”: “CBS Interactive Inc.”
“company phone”: “(415) 344-2000”
“location type”: “HQ”
“street address”: “235 2Nd St”
“city”: “San Francisco”
“postal code”: “94105”
“county”: “San Francisco”
“web address”: “http://www.zdnet.com”
“revenuerange”: “$100 mil to less than $250 mil”
“employee range”: “500 to less than 1,000”
“primary industry”: “Advertising & Marketing”
It’s not surprising, in and of itself, that there would be this type of record for Whittaker. If you work in corporate America and are in any way a possible sales or marketing prospect, whether that’s a purchasing manager or an editor, there is a whole industry dedicated to compiling this information about you, and packaging and selling it to others.
Two things make this leak concerning. One, it seems to originate from Dun & Bradstreet after it purchased NetProspex in 2015. Dun & Bradstreet is one of the biggest, and most well-regarded, corporate-information database companies out there. When contacted by Zack Whittaker at ZDNet about the leak, Dun & Bradstreet gave only this statement: “We’ve carefully evaluated the information that was shared with us and it is of a type and in a format that we deliver to customers every day. Based on our analysis, it was not accessed or exposed through a Dun & Bradstreet system.” But Dun & Bradstreet does sell this information to third parties — and while it claims the leak did not occur through one of its clients, the information had to come from somewhere.
But the truly worrying thing is just how much information is here, and how many people were exposed. Of the 33 million, over 100,000 worked for the Department of Defense; over 70,000 worked for major financial institutions; and nearly 35,000 worked for Kaiser Foundation Hospitals. With the amount of information provided, social-engineering hacking campaigns, like spear phishing and whaling, have just become infinitely easier.
You can check to see if you were affected at Have I Been Pwned. I did the same, dropping in my personal email address. At first, I felt relief (and, to be honest, a bit of smugness) to see that it looked like I was in the clear.
Then I tried using an email address from a former employer — and there I was. Then I tried another. And there I was again. The smugness disappeared. That information about me is out there, it’s never coming back, and there’s nothing I can do about it. Welcome to being online in 2017.