Mystery Data Breach Dubbed 'db8151dd' Exposes Records of 22 Million People (9to5mac.com) 25
An anonymous reader quotes a report from 9to5Mac: A massive data breach dubbed db8151dd has exposed the records of 22M people -- including addresses, phone numbers, and social media links. But the source of the data is a mystery. I got an email alert this morning from the haveibeenpwned.com site telling me that my details were included. The exposed data appears extensive: "Email addresses, Job titles, Names, Phone numbers, Physical addresses, Social media profiles." However, Troy Hunt, who runs the site, said that nobody has been able to identify where the information came from.
That 'interesting' data appears to come from customer relationship management (CRM) systems, including things like: "Recommended by Andie [redacted last name]. Arranged for carpenter apprentice Devon [redacted last name] to replace bathroom vanity top at [redacted street address], Vancouver, on 02 October 2007." Best guess is it's some kind of aggregated data from a number of sources, but as neither Hunt nor other information security professionals have been able to identify any of them despite attempts lasting almost three months, it appears the details of the privacy breach may remain a mystery. Hunt says there's almost 90GB of personal information in the open database.
"Back in Feb, Dehashed reached out to me with a massive trove of data that had been left exposed on a major cloud provider via a publicly accessible Elasticsearch instance. It contained 103,150,616 rows in total," writes Hunt. "The global unique identifier beginning with 'db8151dd' features heavily on these first lines hence the name I've given the breach. I've had to give it this name because frankly, I've absolutely no idea where it came from, nor does anyone else I've worked on with this."
That 'interesting' data appears to come from customer relationship management (CRM) systems, including things like: "Recommended by Andie [redacted last name]. Arranged for carpenter apprentice Devon [redacted last name] to replace bathroom vanity top at [redacted street address], Vancouver, on 02 October 2007." Best guess is it's some kind of aggregated data from a number of sources, but as neither Hunt nor other information security professionals have been able to identify any of them despite attempts lasting almost three months, it appears the details of the privacy breach may remain a mystery. Hunt says there's almost 90GB of personal information in the open database.
"Back in Feb, Dehashed reached out to me with a massive trove of data that had been left exposed on a major cloud provider via a publicly accessible Elasticsearch instance. It contained 103,150,616 rows in total," writes Hunt. "The global unique identifier beginning with 'db8151dd' features heavily on these first lines hence the name I've given the breach. I've had to give it this name because frankly, I've absolutely no idea where it came from, nor does anyone else I've worked on with this."
Who cares? (Score:5, Insightful)
And something like a combined entry with name+phone+address?? Oh, the horrors! We used to call that the white pages of the telephone book we got delivered to us for free.
Re: Who cares? (Score:1)
No, only to you city. In paper. Which is different than to 7-8 billion people, in an easily automatable format.
Still rather tame. But still not the same.
Re: Who cares? (Score:4, Informative)
No, only to you city. In paper. Which is different than to 7-8 billion people, in an easily automatable format.
Still rather tame. But still not the same.
Not totally accurate. Back in the day, white pages information was available to anyone with a telephone. All it took was a phone call to the operator anywhere, and they would give you any listed phone number, and other listed information, no questions asked. All you needed to supply was a name and a city. You did not even need to know who you were looking for. Make up a last name and first initial and operators were often willing to run down the list of matching names if you claimed you did not remember the specific street address.
And most libraries had white pages books from outside the local listing area.
Re: (Score:1)
But, opting out of that system actually worked.
Re: (Score:2)
Re: Who cares? (Score:3)
Re: (Score:2)
Not to mention the massive number of "criss-cross" directories (also printed) which listed the same data with different keys. Such as being able to find name + phone number by looking up an address.
This has all been public information for as long as I can remember.
Re: (Score:2)
"No, only to you city"
Wrong! I still get phone books today, and they list more than just one fucking city. Try twenty other cities outside of mine, all listed in a single book.
Re: (Score:2)
You realize there's a difference between how easy it is to abuse it in the white pages versus in one file?
Also difference in magnitude and breadth of data. One is a few thousand names and addresses and phone numbers. The other is millions, making it easier to create false identities.
Re: (Score:2)
I don't recall the white pages listing when I'd had work done on my house.
Re: (Score:2)
NBA, Comcast, Toyota, CBS, Obama, customer, etc. care! :P
I like Color BASIC (Score:1)
If it came from haveibenpwned.com? (Score:1)
I mean they by definition run a massive personal data storage.
wait until we have the tracking data (Score:2)
This has been identified (Score:4, Informative)
Re: This has been identified (Score:1)
Coincidence, but not the same data.
It was from Covve contacts app (Score:2)
Edit 3: Thanks to some community sleuthing, the origin of this breach has now been identified as the Covve contacts app [covve.com]. Their public disclosure is in that link and they've also been in contact with regulators and had a couple of phone calls with myself.
I'm scared now (Score:2)