What happened
According to public breach records, the Exactis data breach on June 1, 2018 is reported to have exposed the personal information of 131,577,763 accounts.
In June 2018, the marketing firm Exactis inadvertently publicly leaked 340 million records of personal data. Security researcher Vinny Troia of Night Lion Security discovered the leak contained multiple terabytes of personal information spread across hundreds of separate fields including addresses, phone numbers, family structures and extensive profiling data. The data was collected as part of Exactis' service as a "compiler and aggregator of premium business & consumer data" which they then sell for profiling and marketing purposes. A small subset of the exposed fields were provided to Have I Been Pwned and contained 132 million unique email addresses.
In June 2018, security researcher Vinny Troia of Night Lion Security found that Florida data-aggregation firm Exactis had left a database of roughly 340 million records (about 2TB) on a publicly accessible server with weak or no authentication, discovered via a Shodan search for exposed ElasticSearch instances. The data was not stolen by hackers but was openly reachable online; Exactis secured the server after being notified. It was notable for the breadth of profiling fields (interests, family structure, religion, lifestyle), but contained no Social Security or credit card numbers, making it most useful for social engineering and phishing rather than direct financial fraud.
What data was exposed
The following types of personal data were compromised:
- Credit status information
- Dates of birth
- Education levels
- Email addresses
- Ethnicities
- Family structure
- Financial investments
- Genders
- Home ownership statuses
- Income levels
- IP addresses
- Marital statuses
- Names
- Net worths
- Occupations
- Personal interests
- Phone numbers
- Physical addresses
- Religions
- Spoken languages
Breach details
| Detail | Value |
|---|---|
| Breach name | Exactis |
| Date | June 1, 2018 |
| Accounts affected | 131,577,763 |
| Domain | exactis.com |
This summary is compiled from public breach-notification data and known leak databases. Figures reflect what those sources report and may be revised as more is learned. If something here looks wrong or you think your information is involved, contact our support team.
We report breaches as a factual record to help people check their exposure. Inclusion here is not an allegation of wrongdoing or negligence by Exactis; it reflects a publicly reported security incident.
What to do now
Based on the data exposed in this breach, here are the steps you should take:
- Be alert to highly targeted phishing or impersonation that cites accurate personal details about you to seem credible.
- Verify any bank, retailer, or government contact via an official number you look up yourself, since leaked phone numbers and facts enable convincing scams.
- Submit opt-out and deletion requests to people-search and data-broker sites, the type of source this profile came from.
- Enable two-factor authentication on email and financial accounts to blunt any phishing that follows.
Check your exposure
Data breaches are one of the ways your personal information ends up on data broker sites. Run a free scan to see which sites are exposing your personal data — and take action to remove it.
Sources
- Exactis leak exposes database with 340 million records (TechTarget)
- Data-broker leak exposes 340 million personal records (Engadget)
Find out what data brokers know about you
Run a free scan to see which sites are exposing your personal information — name, phone, address, email, and more.
Start your free scan →