Straffic data breach (2020) — what was exposed and what to do

What happened

According to public breach records, the Straffic data breach on February 14, 2020 is reported to have exposed the personal information of 48,580,249 accounts.

In February 2020, Israeli marketing company Straffic exposed a database with 140GB of personal data. The publicly accessible Elasticsearch database contained over 300M rows with 49M unique email addresses. Exposed data also included names, phone numbers, physical addresses and genders. In their breach disclosure message, Straffic stated that "it is impossible to create a totally immune system, and these things can occur".

In February 2020, a security researcher (handle 0m3n) traced a spam message back to a webserver belonging to Israeli marketing firm Straffic and found a .env configuration file containing plaintext credentials that had been accidentally deployed instead of excluded from the repository. Those credentials pointed to a publicly accessible AWS Elasticsearch database holding roughly 140GB of contact data — over 300 million rows covering 48.6 million unique email addresses along with names, phone numbers, physical addresses, and gender. Notably, Troy Hunt of Have I Been Pwned observed that about 70% of the exposed emails already appeared in prior breaches, indicating much of the data was an aggregated marketing contact set; Straffic secured the database after disclosure. ["Treat the exposed email and phone number as known to spammers and scammers — be skeptical of unexpected marketing messages, texts, and calls, and never act on links or attachments in them (this exposure surfaced precisely because it was fueling spam).", "Watch for targeted phishing that uses your real name and physical address to appear legitimate; verify any sender independently before responding or sharing further details.", "Consider filtering or replacing the affected email address for important accounts, since it is now part of widely circulated marketing/contact datasets.", "No passwords, SSNs, or financial data were exposed here, so no credential or credit action is required for this incident specifically — focus on phishing and spam vigilance."]

What data was exposed

The following types of personal data were compromised:

• Email addresses
• Genders
• Names
• Phone numbers
• Physical addresses

Breach details

This summary is compiled from public breach-notification data and known leak databases. Figures reflect what those sources report and may be revised as more is learned. If something here looks wrong or you think your information is involved, contact our support team.

We report breaches as a factual record to help people check their exposure. Inclusion here is not an allegation of wrongdoing or negligence by Straffic; it reflects a publicly reported security incident.

What to do now

Based on the data exposed in this breach, here are the steps you should take:

• Treat the exposed email and phone number as known to spammers — be skeptical of unexpected marketing messages, texts, and calls, and never act on links or attachments in them (this exposure was discovered because it was fueling spam).
• Watch for targeted phishing that uses your real name and physical address to appear legitimate; verify any sender independently before responding or sharing more details.
• Consider filtering or replacing the affected email address for important accounts, since it is now part of widely circulated marketing/contact datasets.
• No passwords, SSNs, or financial data were exposed here, so no credential or credit action is needed for this incident specifically — focus on phishing and spam vigilance.

Check your exposure

Data breaches are one of the ways your personal information ends up on data broker sites. Run a free scan to see which sites are exposing your personal data — and take action to remove it.

Sources

• 49 Million Unique Emails Exposed Due to Mishandled Credentials — BleepingComputer
• Have I Been Pwned: Straffic Data Breach