DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Personal And Social Information Of 1.2 Billion People Discovered In Massive Data Leak, But Who’s Responsible??

Posted on November 22, 2019 by Dissent

Over on DataViper.io, Vinny Troia reports that he and Bob Diachenko found a massive data leak that appears to implicate two data enrichment firms:  People Data Labs (PDL), and OxyData.io.  But “implicate” is not the same thing as being able to actually attribute ownership of the elasticsearch server that was open at 35.199.58.125, and both companies denied ownership of the server.

In terms of the quantity and types of data exposed, Troia reports that after deduplication, the PDL user records revealed

roughly 1.2 billion unique people, and 650 million unique email addresses, which is in-line with the statistics provided on their website. The data within the three different PDL indexes also varied slightly, some focusing on scraped LinkedIN information, email addresses and phone numbers, while other indexes provided information on individual social media profiles such as a person’s Facebook, Twitter, and Github URLs.

The OxyData.io data, in contrast, “revealed an almost complete scrape of LinkedIN data, including recruiter information.”
But with neither PDL nor OxyData claiming ownerships (denials that Troia and Diachenko seem to believe based on their research), the public is left with a few questions, at least:

  1.  If the exposed data is not 100% match with PDL and OxyData (and it does not appear to be), then who processed the PDL data to produce the data found on this server?
  2. The data includes data of Canadian, UK, and U.S. citizens.  Does the database violate GDPR? Did whoever is responsible for the data get consent of any EU persons?

As Troia notes, it is often difficult — and in this case impossible — for them to determine ownership.  Google cloud services would know, but they will never tell except under legal process. Google is willing to call a customer and alert them to a security concern, but they will not disclose the name of the customer to whoever reports the leak, and they cannot make the customer do anything.

But maybe a complaint to the ICO would result in more transparency?

 


Related:

  • Inquiry launched after identities of SAS soldiers leaked in fresh data breach
  • Government will 'robustly defend' compensation claims from Afghans put at risk by data breach
  • More than 100 British government personnel exposed by Ministry of Defence data leak
  • Gladney Adoption Center had serious data exposures in the past few months. What will they do to prevent more?
  • Meta fixes bug that could leak users’ AI prompts and generated content
  • McDonald’s McHire leak involving ‘123456’ admin password exposes 64 million applicant chat records
Category: Exposure

Post navigation

← Lithuanian national, extradited from Ukraine, charged with unauthorized computer intrusion, other crimes
French Hotel Giant Leaks 1TB+ of Client Data →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Scattered Spider Hijacks VMware ESXi to Deploy Ransomware on Critical U.S. Infrastructure
  • Hacker group “Silent Crow” claims responsibility for cyberattack on Russia’s Aeroflot
  • AIIMS ORBO Portal Vulnerability Exposing Sensitive Organ Donor Data Discovered by Researcher
  • Two Data Breaches in Three Years: McKenzie Health
  • Scattered Spider is running a VMware ESXi hacking spree
  • BreachForums — the one that went offline in April — reappears with a new founder/owner
  • Fans React After NASCAR Confirms Ransomware Breach
  • Allianz Life says ‘majority’ of customers’ personal data stolen in cyberattack (1)
  • Infinite Services notifying employees and patients of limited ransomware attack
  • The safe place for women to talk wasn’t so safe: hackers leak 13,000 user photos and IDs from the Tea app

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Wiretap Suits Pit Old Privacy Laws Against New AI Technology
  • Action against tiny Scottish charity sparks huge ICO row
  • Congress tries to outlaw AI that jacks up prices based on what it knows about you
  • Microsoft’s controversial Recall feature is now blocked by Brave and AdGuard
  • Trump Administration Issues AI Action Plan and Series of AI Executive Orders
  • Indonesia asked to reassess data privacy terms in new U.S. trade deal
  • Meta Denies Tracking Menstrual Data in Flo Health Privacy Trial

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.