A February data breach involving 122 million records of marketing data has been confirmed to have come from B2B data broker DemandScience, though the company was called Pure Incubation at the time.
It is still not clear exactly when or how the data breach took place, but the stolen information was put up for sale on a hacking forum in February 2024. DemandScience is now saying that the data was taken from a system that was decommissioned two years ago and that it was likely an attack on a partner or contractor.
B2B data broker aggregated business information from public sources
In total the breach includes information for about 122 million people, though the data broker gathers most of its information by scraping public sources. The data it collects is organized into individual profiles sold to other businesses for leads or targeted marketing. Each record might include full names, physical business addresses, email addresses, telephone numbers, job titles and functions, and social media links, depending upon what the company was able to hit upon.
Though this data could very well be used to aid phishing and scam attempts, it is not particularly serious as reflected by the asking price for it when it was posted to BreachForums. The hacker initially sought $6,000 for it, but it was soon dropped to a mere few USD per taker. The data broker has issued a statement saying that it does not process sensitive personal data or personal non-business information such as login credentials or home addresses. In the initial reporting on the story earlier this year, there was some confusion about hashed passwords possibly being included in the stolen information, but Have I Been Pwned’s Troy Hunt has cleared this up by confirming that the suspect bcrypt hashes do not show any signs of being login credentials.
The hacker goes by the handle “KryptonZambie” and has been seen offering stolen data for sale at least several other times this year. They took responsibility for a March attack on AI photo editing tool Cutout.Pro that exposed 20 million customer records and included hashed and salted passwords, and another attack on former lead generation service Leadzen.ai that involved about 780k records. Then in April, the hacker claimed to be sitting on a massive amount of sensitive information stolen from the government of the Philippines to include 152 GB of citizen identity cards. However, this post was quickly removed from the hacking forum after users started asking for evidence. The threat actor has possible ties to India and to a ransomware group called RobinHouse.
DemandScience has suggested that a “contractor or publisher partner” may have been breached, but the data broker said that it is continuing to monitor the situation and that it “would not be appropriate” to further address that point yet.
Data broker security called into question yet again
The incident once again puts a spotlight on data brokers that largely operate in the shadows, at least in the US, without much in the way of regulation limiting what they take in and how they generate user profiles. Their core business activity is enough to raise concerns, but there are also questions about who they share all this data with and the overall security of these supply chains.
Other similar data brokers that are not exactly household names have been breached in recent years, each with stolen record totals in the tens of millions: Exactis, Data & Leads, and an incident involving an unnamed broker that had some 66 million records of scraped LinkedIn data sitting in an improperly secured public-facing database. There have been a number of others that have exposed millions of records of this type. For the most part the general public has no idea that these companies even exist and are building these sorts of profiles on them, let alone who their data partners are or when some sort of security incident takes place.
Lacking a federal data privacy bill, Americans are left with little legal option for addressing these incidents save for severely locking down what they post and share on social media and business platforms that might be scraped. Some states provide more rights, but at present only California would allow a user to go directly to a data broker like DemandScience and have a right to opt out of collection.
Roger Grimes, data-driven defense evangelist at KnowBe4, notes that there is something of a common defeatist attitude given both how often data is leaked and how little there is in place to protect data subjects: “I don’t know where to start, but I guess the first place is that 183M people’s business records are available for sale by a hacker and it isn’t even being covered by the major news media. Over a 100M records stolen or available for sale and it doesn’t rank as big news. Secondly, a hacker is offering all that up for $6K. Ten years ago, a hacker would have probably asked for $6M. But today, everyone’s information is out there in so many places – so many free places – that it’s basically unsellable. Who’s going to pay for something that you can get for free? And does someone having your information, again, even really a worry? It’s certainly not a new worry. Our information is out there in so many places that hearing that it is stolen or available again really isn’t news. Who cares if my business email address or even social security number is out there for the tenth time? The first time it’s stolen and available, that’s a worry. But now our information has been stolen so much that we are pretty much numb to the supposed “news” that our information is out. Yeah, of course! What else is new?”
Tyler Reese, Director of Product Management at Netwrix, observes that the fact that an “outdated” system was the source of the breach provides a reminder of the need to take a complete inventory of assets and to implement an asset and server retirement strategy: “The news about the breach mentions that DemandScience’s breach was caused by an old system that had been offline for nearly two years and remained exposed without the company’s knowledge. This situation sheds light on a common issue: Neglected or untracked systems can quickly turn into security liabilities if left unmonitored. To prevent this kind of situation in the future, organizations should prioritize a few key cybersecurity practices. First, it is essential to maintain a detailed, up-to-date inventory of all systems. This can be achieved by using an asset management tool like a Configuration Management Database (CMDB), which centralizes and tracks all assets to ease the monitoring. Second, organizations must classify the data stored on each system and specify who has access to it, ensuring that sensitive information is safeguarded and access is restricted. For the first purpose, they can consider using data classification tools, while an identity and access management (IAM) solution can assist with the second one. Finally, a well-defined asset and server retirement strategy should be in place, directly linked to the CMDB, ensuring that all systems are accounted for and properly decommissioned when no longer in use. By combining these proactive measures, organizations can reduce the risk of a breach associated with compromising poorly tracked and monitored systems.”