Continuing from our last blog, we're looking at another huge data breach of a data enrichment company, this time dating back to May 2018.
As with the PDL leak we discussed in our last blog, the Apollo data breach exposed information that many of us unwittingly make public as we navigate the internet - aka our digital footprint.
Author of Hunting Cyber Criminals, Vinny Troia discovered an unprotected data set of 212 million contact listings and a whopping 9 billion data points. The data set was so detailed that Troia initially assumed it was a breach of LinkedIn, but after further investigation, discovered that the data belonged to Apollo.
Apollo is a self-described "data-first engagement platform". Its aim is to help companies more accurately target their sales messaging and create more engagement. Today it claims access to 200 million business contacts and 10 million businesses, their direct-dial phone numbers, and verified email addresses.
When the breach was exposed in August 2018, Apollo claimed that most of its data is acquired from publicly available sources. But, it also scrapes social media sites Twitter and LinkedIn for further information. The leaked data set also included client-imported information.
The data didn't include security numbers, passwords or bank details. However, such a comprehensive set of data is a boon for cybercriminals, who can use it to convincingly impersonate you or highly visible people within your company, and garner more sensitive information that could cause real damage.
LinkedIn released a statement sharply reprimanding the unauthorised use of data from its site.
"Misusing LinkedIn member data violates our terms of service and the trust our members place in us. When anyone tries to take member data and use it for purposes LinkedIn and its members haven't agreed to, we take aggressive action to stop them and hold them accountable."
So, how did Apollo react? Apollo's CTO, Ray Li, told reporters at WIRED magazine that they had reported the breach with the authorities and had opened their own investigation. They also sent a letter out to their customers explaining that there had been a data breach.
But what of the hundreds of thousands of people whose details were exposed? Well, they still remain in the dark. Given the scope of this data breach, there is a chance highly visible people within your company have been implicated.
There have been similar data leaks and breaches before and since within the Data Enrichment industry. Until there is consistent reform on how data from our digital footprint can be used, such leaks will continue to occur. It's down to you to be aware of what data is available and ensure you know what hacker's will see when they come looking. Fresh Security can help.