Security Researchers from Have I Been Pwned recently discovered an open database containing 22.8 email addresses. This database containing millions of records is a mystery to researchers as the database's origins have yet to be identified. Security researcher Troy Hunt does not believe the information was obtained by scraping publicly available information.
"Firstly, my phone number is not usually exposed and that was in there in full. Yes, there are many places that (obviously) have it, but this isn't a scrape from, say, a public LinkedIn page. Next, my record was immediately next to someone else I've interacted with in the past as though the data source understood the association," Troy states.
This information has led security researchers to believe that the database's origins are tied to a customer relationship management system. Three months of investigation have turned up minimal clues as to the source of the unsecured information. These clues include three phrases that appear throughout the data multiple times:
- This contact information was synchronized from Exchange. If you want to change the contact information, please open OWA and make your changes there.
- Exported from Microsoft Outlook (Do not delete).
- Contact Created by Evercontact. (Evercontact is a contact management app available on Android.)
When contacted as part of the investigation, Evercontact was unable to provide security researcher Troy Hunt with any additional information.
Unsecured databases pose a serious threat. Hundreds of millions of records containing highly confidential, personally identifiable information are at risk of getting exposed.
HOW CAN I FIND OUT IF MY INFORMATION IS EXPOSED IN THIS DATABASE?
Guardio offers account monitoring services. If you already have a membership with Guardio and were exposed, you can see a list of any data breaches that involved your accounts on your personal dashboard.
If you aren't already a member of Guardio, we invite you to activate a free trial of our live browser protection and account monitoring service. At the time that you activate your trial, we'll run a scan of your device for existing threats and alert you of any instance where your accounts were involved in a data breach, including this large scale mystery unsecured database. If you have multiple email addresses to check, we've got you covered there, too.