What happened
According to public breach records, the Data & Leads data breach on November 14, 2018 is reported to have exposed the personal information of 44,320,330 accounts.
In November 2018, security researcher Bob Diachenko identified an unprotected database believed to be hosted by a data aggregator. Upon further investigation, the data was linked to marketing company Data & Leads. The exposed Elasticsearch instance contained over 44M unique email addresses along with names, IP and physical addresses, phone numbers and employment information. No response was received from Data & Leads when contacted by Bob and their site subsequently went offline.
On November 14, 2018, security researcher Bob Diachenko of HackenProof discovered roughly 73 GB of data sitting in publicly accessible Elasticsearch instances that had no password or authentication, located via a routine Shodan search. The data was an aggregated marketing/lead-generation dataset of U.S. individuals — names, employers, job titles, emails, physical addresses, phone numbers, and IP addresses — which Troy Hunt's Have I Been Pwned de-duplicated down to about 44.3 million people; a second index held ~25 million "Yellow Pages"-style business records. The records were attributed to Toronto-based data aggregator Data & Leads based on the field structure, and the company's website went offline around the time of disclosure, though the firm itself was never confirmed to have been hacked.
What data was exposed
The following types of personal data were compromised:
- Email addresses
- Employers
- IP addresses
- Job titles
- Names
- Phone numbers
- Physical addresses
Breach details
| Detail | Value |
|---|---|
| Breach name | Data & Leads |
| Date | November 14, 2018 |
| Accounts affected | 44,320,330 |
| Domain | datanleads.com |
This summary is compiled from public breach-notification data and known leak databases. Figures reflect what those sources report and may be revised as more is learned. If something here looks wrong or you think your information is involved, contact our support team.
We report breaches as a factual record to help people check their exposure. Inclusion here is not an allegation of wrongdoing or negligence by Data & Leads; it reflects a publicly reported security incident.
What to do now
Based on the data exposed in this breach, here are the steps you should take:
- Treat unexpected emails and calls referencing your employer or job title as likely phishing or social-engineering — the leaked records pair your name with workplace details that make targeted scams more convincing.
- Be cautious of phone-based scams (vishing) and SMS phishing, since your phone number was exposed alongside your name and address; don't act on unsolicited requests for money or credentials.
- Consider opting out of data-broker and lead-generation aggregators, since this exposure was compiled marketing data rather than a single account you control.
- Stay alert for mail and address-based fraud given that your physical address was part of the dataset.
Check your exposure
Data breaches are one of the ways your personal information ends up on data broker sites. Run a free scan to see which sites are exposing your personal data — and take action to remove it.
Sources
Find out what data brokers know about you
Run a free scan to see which sites are exposing your personal information — name, phone, address, email, and more.
Start your free scan →