A U.S. cybersecurity researcher has discovered a dataset with the personal data of 1.2 billion people
Hackers, identity thieves, phishers and other online scammers for more than a decade have been dedicated to stealing data and creating a black market where they can resell what they've stolen. Sensitive data, mostly related to login credentials reused by "third parties" to drain bank accounts and credit cards.
Last October, Vinny Troia, an American researcher uncovered Pandora's box when, almost by accident, he discovered a mountain of easily accessible personal data stored on an unsecured server. As many as four terabytes of sensitive and personal information, roughly 1.2 billion files. A truly impressive collection of data, but one that doesn't include, as you might expect, data related to credit cards, online accounts, or, in the case of the United States, Social Security numbers. No, Vinny Troia has uncovered hundreds of millions of people's profiles that contain landline and cell phone numbers, login credentials to social networks like Facebook, LinkedIn and Github, resumes pulled directly from LinkedIn. We're talking nearly 50 million phone numbers and 622 million email addresses.
Stolen data: the work of Vinny Troia
Vinny Troia was stunned. The researcher stated that he had never come across such a large amount of data that sees millions of social profiles collected and integrated with each other and linked directly to a single user, all encapsulated in a single database. According to the researcher, a data collection of this kind is much more dangerous because it puts at risk the very identity of a person, both digital and physical. Suppose an attacker wants to pass himself off online as another person: he has all the means to do so, from access to social profiles, to personal email, from home phone number to cell phone number.
The most disturbing thing for the researcher was the place where he found the incriminated database. It was simply stored in Google Cloud Services and the IP address of the server was easily traceable online. After reporting the "find," Troia promptly notified the FBI, which quickly removed the server itself, but refused to comment on what happened.
Data of Unknown Origin
The data discovered by the U.S. researcher is divided into four different datasets. Three appear to have come from People Data Labs, a San Francisco-based data broker. People Data Labs legally sells personal data; on the company's website, the San Francisco-based company claims to have the data of more than 1.5 billion people. Troia believes it is unlikely that People Data Labs' servers have been hacked, something also confirmed by the company's co-founder heard directly from the American researcher.
The latest is labeled with the name "OXY" and each file within it contains an identical tag. According to Vinny Troia, the "OXY" tag could refer to another data broker: Wyoming-based Oxydata. But even the top management of the company in question have stated that they have not been breached, not only that, Oxydata has stressed that the company's data does not use the "OXY" tag.