Security researchers Bob Diachenko and Vinny Troia have discovered an unsecured server containing 4 terabytes of personal data belonging to 1.2 billion records. The records are easily accessible online. The researchers were able to access and download the data via a web browser without any password or authentication needed.
The researchers posted a blog where they told that the data they discovered had a size of 4 TB and it was labeled “PDL” and “OXY”. The first dataset “PDL” contained, data on 1.5 billion unique individuals, a billion personal email addresses including work emails for millions of decision-makers in Canada, the UK, and the US, 420 million LinkedIn URLs, a billion Facebook URLs and IDs, over 400 million phone numbers and 200 million valid US mobile phone numbers. The second dataset “OXY” contained scraped data from LinkedIn profiles, including information on recruiters.
The data has leaked via an open and unsecured Elasticsearch server, but its actual source is still a mystery. The data originated at two data aggregation companies, People Data Labs, which calls itself as “the source of truth for personal data” and OxyData.io, a company that provides “in-depth data on people and companies.”
When the researchers contacted both companies, their spokesperson said the server did not belong to them. “This is an incredibly tricky and unusual situation,” wrote Troia in the blog. “The lion’s share of the data is marked as ‘PDL’, indicating that it originated from People Data Labs. However, as far as we can tell, the server that leaked the data is not associated with PDL.
While this leak does not have any personal information such as Passwords and credit card details, it still is considered the biggest in history. According to CyberArk’s senior vice-president of EMEA, Rich Turner, though the leaked does not have any personal information, still email addresses, phone numbers, and social media profiles is still a big deal.