Mysterious data breach called ‘db8151dd’ exposed email, physical address, and job titles of 22 MILLION people – but no one knows exactly where the records came from
- A public server contained more than 100 million records on 22 million people
- Data included full names, email addresses, phone numbers, job titles, and more
- Security researchers were unable to find the source of the breach
- Expert Troy Hunt hypothesizes the data was from a customer management system
The personal data on tens of millions of people was been exposed in a data breach without a discernible source according to an Australian security expert.
Researcher, Troy Hunt, says the breach, dubbed ‘db8151dd’ – which was disclosed to him in February – exposed the private information of more than 22 million people whose data was stored on a publicly accessible server.
Among the information, Hunt details in a new blog post, are email addresses, phone numbers, physical addresses, full names, job titles and social media profiles.
Researcher and security expert Troy Hunt says that the database still doesn’t have a determinable owner despite multiple months of research (stock)
Despite the discovery of the data set, neither Hunt nor the security service, Dehashed, which came to Hunt with the data, have been able to determine exactly who owned the server and what sources information was harvested from.
Though much of the data contained in the database could have been scraped from sources like Facebook or LinkedIn, Hunt said his research ruled out that banal origin given some of the contents – for example, Hunt’s own phone number – and the fact that information was seemingly associated by owners’ recent contacts.
‘…my record was immediately next to someone else I’ve interacted with in the past as though the data source understood the association,’ Hunt wrote in a post.
‘I found that highly unusual as it wasn’t someone I’d expect to see a strong association with and I couldn’t see any other similar folks.’
Given that peer association Hunt hypothesized that it’s possible that the data was aggregated by a Customer Relationship Management system, but added that the source was still just a guess.
‘But nowhere – absolutely nowhere – was there any indication of where the data had originated from,’ Hunt wrote.
Despite failing to uncover the sources of the breach, Hunt entered the information into the HaveIBeenPwned database, a resource that allows people to search whether their email addresses have been linked to a hack or similar compromise.
As far as safeguarding against breaches like this goes, Hunt writes that he’s also at a loss:
‘There’s nothing you nor I can do about it beyond being more conscious than ever about just how far our personal information spreads without our consent and indeed, without our knowledge. And, perhaps most alarmingly, this is far from the last time I’ll be writing a blog post like this,’ he wrote in a post.