Is Our Digital Footprint in Safe Hands? Part I: People Data Labs (PDL) Breach 2019

    Hackers
    Hacking
    Customer
Illustration of a digital fingerprint made up of ones and zeros, slowly disintegrating into a pile of data.

Businesses that collect and sell data are, unsurprisingly, extremely juicy targets for phishing scammers and identity thieves. The added sting is that these companies have our data without our permission and without us even knowing about it. Every time you fill in a data field, any time you sign up to a service, any time you make a purchase, the digital footprint you leave behind can effectively be mined and sold to the highest bidder.

For the most part, it’s pretty harmless. Legitimate “data enrichment” companies use publicly available information that isn’t particularly sensitive. Nonetheless, if it gets into the wrong hands, it’s a handy shortcut for cybercriminals to phish for passwords and bank details and make that information available on the dark web.

Over the next two blogs, we’ll take a look at two huge data leaks that occurred over the past few years. The sheer amount of records involved means that there’s a fair chance that you, your business, or highly visible people in your business are implicated.

We’ll start with a leak from People Data Labs (PDL) that was discovered in October 2019 by cybersecurity researchers Vinny Troia and Bob Diachenko.

A database of over 1.2 billion records of personal data was discovered on an unprotected server. Although the server didn’t belong to PDL, it is believed that one of their customers mishandled the database, making it freely available on the deep web - no login details necessary.

The database contains 620 million unique email addresses, as well as phone numbers, full names, and information scraped from social media sites including LinkedIn and Facebook. That’s more than enough for an identity thief to convincingly impersonate you.

PDL now boasts a database of over 1.5 billion profiles. While the information was not found on one of their servers, the evidence points to the fact that it derived from them. Diachenko and Troia cross-examined the data from the server with PDL’s data and it was almost an exact match. The exact identity of the server is unknown, so we cannot say for sure if it’s the work of a cybercriminal or one of PDL’s customers.

The case poses questions about the safety of our digital footprint. Is it ok that our public information is considered fair game? Should companies that mine data be held responsible for data leaks and breaches, and inform those affected that their data could be in the wrong hands?

For now, the responsibility is left with the internet user to safeguard their data and the data of their customers.

July 30, 2020
2 Minutes Read

Related Reads

Freshsec Logo

Subscribe to Fresh Thoughts

Our weekly newsletter brings you cybersecurity stories and insights. The insights that help you cut through the bull.

We'll never share your email.

Resources

Fresh Security Support

Your Questions

Blog

Legal Bits

Your Privacy

Our Terms

Cookies