Apollo data breach (2018) — what was exposed and what to do

What happened

According to public breach records, the Apollo data breach on July 23, 2018 is reported to have exposed the personal information of 125,929,660 accounts.

In July 2018, the sales engagement startup Apollo left a database containing billions of data points publicly exposed without a password. The data was discovered by security researcher Vinny Troia who subsequently sent a subset of the data containing 126 million unique email addresses to Have I Been Pwned. The data left exposed by Apollo was used in their "revenue acceleration platform" and included personal information such as names and email addresses as well as professional information including places of employment, the roles people hold and where they're located. Apollo stressed that the exposed data did not include sensitive information such as passwords, social security numbers or financial data. The Apollo website has a contact form for those looking to get in touch with the organisation.

In July 2018, the sales-engagement company Apollo (apollo.io) left a database of its "revenue acceleration platform" publicly exposed online without a password, and security researcher Vinny Troia discovered it and provided a subset of roughly 126 million unique email addresses to Have I Been Pwned. The records were largely business-contact data the company had assembled from publicly available sources — including scraped LinkedIn and Twitter profiles — alongside client-imported information, and Apollo stated the exposure did not include passwords, Social Security numbers, or financial data. It was notable for its scale (over 200 million contact records spanning roughly 10 million companies) and because the exposed professional details (names, employers, job titles, locations, social profiles) are well-suited to crafting targeted phishing. ["Treat email tied to your name, employer, and job title as a phishing/spear-phishing target — be wary of unsolicited messages that reference your real role or company, and verify sender addresses before clicking links or opening attachments.", "Expect an uptick in unsolicited sales and recruiting outreach to this address; consider filters or an alias for business contact, since the data is geared toward lead-generation marketing.", "Review the privacy and visibility settings on the social and professional profiles (e.g. LinkedIn, Twitter) that feed aggregators like this, and opt out of the platform's database where that option is offered.", "No passwords were exposed, so a password change is not required for this incident — but enabling two-factor authentication on your email account remains a sensible defense against the phishing risk this professional data enables."]

What data was exposed

The following types of personal data were compromised:

• Email addresses
• Employers
• Geographic locations
• Job titles
• Names
• Phone numbers
• Salutations
• Social media profiles

Breach details

This summary is compiled from public breach-notification data and known leak databases. Figures reflect what those sources report and may be revised as more is learned. If something here looks wrong or you think your information is involved, contact our support team.

We report breaches as a factual record to help people check their exposure. Inclusion here is not an allegation of wrongdoing or negligence by Apollo; it reflects a publicly reported security incident.

What to do now

Based on the data exposed in this breach, here are the steps you should take:

• Watch for phishing texts and calls referencing your personal details.

Check your exposure

Data breaches are one of the ways your personal information ends up on data broker sites. Run a free scan to see which sites are exposing your personal data — and take action to remove it.

Sources

• Have I Been Pwned: Apollo Data Breach
• Sales engagement startup Apollo says its massive contacts database was stolen in a data breach | TechCrunch