Is Our Digital Footprint in safe hands? Part I: People Data Labs (PDL) Breach 2019

📅 July 30, 2020

⏱️2 min read

Businesses that collect and sell data are, unsurprisingly, extremely juicy targets for phishing scammers and identity thieves. The added sting is that these companies have our data without our permission and without us even knowing about it. Every time you fill in a data field, any time you sign up to a service, any time you make a purchase, the digital footprint you leave behind can effectively be mined and sold to the highest bidder.

For the most part, it’s pretty harmless. Legitimate “data enrichment” companies use publicly available information that isn’t particularly sensitive. Nonetheless, if it gets into the wrong hands, it’s a handy shortcut for cybercriminals to phish for passwords and bank details and make that information available on the dark web.

Over the next two blogs, we’ll take a look at two huge data leaks that occurred over the past few years. The sheer amount of records involved means that there’s a fair chance that you, your business, or highly visible people in your business are implicated.

We’ll start with a leak from People Data Labs (PDL) that was discovered in October 2019 by cybersecurity researchers Vinny Troia and Bob Diachenko.

A database of over 1.2 billion records of personal data was discovered on an unprotected server. Although the server didn’t belong to PDL, it is believed that one of their customers mishandled the database, making it freely available on the deep web - no login details necessary.

The database contains 620 million unique email addresses, as well as phone numbers, full names, and information scraped from social media sites including LinkedIn and Facebook. That’s more than enough for an identity thief to convincingly impersonate you.

PDL now boasts a database of over 1.5 billion profiles. While the information was not found on one of their servers, the evidence points to the fact that it derived from them. Diachenko and Troia cross-examined the data from the server with PDL’s data and it was almost an exact match. The exact identity of the server is unknown, so we cannot say for sure if it’s the work of a cybercriminal or one of PDL’s customers.

The case poses questions about the safety of our digital footprint. Is it ok that our public information is considered fair game? Should companies that mine data be held responsible for data leaks and breaches, and inform those affected that their data could be in the wrong hands?

For now, the responsibility is left with the internet user to safeguard their data and the data of their customers.