Have You Been Pwned? One Billion User Records Left Online For Open Picking

Ramish Zafar
A bank vault symbolizing security.

If there's one thing that's certain in today's digital age it's that finding out details for a person isn't too difficult. Social media platforms such as facebook and twitter, and networking platforms including LinkedIn store details for millions of users. This information is often collected with consent, but then pwned off to advertisers and other entities.

Entire marketplaces exist with registered firms selling data gathered from the sources mentioned above. Yesterday, researchers Vinny Troia and Bob Diachenko confirmed that data for 1.2 billion people was found sitting on Elasticsearch, a popular enterprise server.

Related StoryJason R. Wilson
Intel Might Introduce DLVR ‘Digital Voltage Regulator’ on Future Desktop CPUs

Researchers Confirm Data Set Comprising of 1.2 Billion People Left Unchecked on Elasticsearch

The data available for scrutiny at HaveIbeenPwned originates from two brokerages. It was discovered by Vinny Troia while he was evaluating scanners BinaryEdge and Shodan. One of these is brokerage People Data Labs, based in California. The firm sells such data sets to advertisers and other folks who might require them for commercial purposes. According to Troya, user consent for using this data commercially has not been provided.

Troia's investigation shows that the data set consists of 622 million email addresses, 50 million unique phone numbers and profiles of people formulated through getting their details off of various online platforms including Facebook, Twitter, LinkedIn and GitHub.

The set follows the principles of 'Data Enrichment' where a single data point for a person is used to scan for his or her other details. These details are then combined to create a profile that lets advertisers and others understand the finer details of an individual's life.

Sample of the data indexes available on the server. The server is unavailable as of now after Troia reported it to the FBI.

Speaking of indexes, three of the four discovered by the two researchers originated from People Data Labs. The three indexes cover details of the lives of 1.2 billion people, and they cover LinkedIn, Facebook, Twitter, GitHub, phone numbers and email addresses. Scanning through them, Troia also found a 10-year old phone number that he was given as part of an AT&T TV bundle, and one that he'd never used.

The fourth index originates from OxyData.io and it focuses exclusively on details gathered from LinkedIn. OxyData provided a copy of the index to Troia on request, and both companies ensured him that their servers have not been breached.

The data indexes were not hosted on the brokerages' server, and it's likely that one of their customers left them open for access. The IP address for servers with these indexes is, and only law enforcement agencies can determine who is behind the leak.

“Information like this is extremely useful to criminals as a starting point in hacking a number of related accounts and also lends itself the potential for increased credential stuffing attacks,” Carl Wearn, head of e-crime at Mimecast, told Threatpost. “This information obviously also provides a fantastic treasure trove of information for the means of industrial, political and state-related espionage and there are multiple malicious uses for the data leaked from this breach.”

Thoughts? Let us know what you think in the comments section below and stay tuned. We'll keep you updated on the latest.

Deal of the Day