Wired reported Wednesday that Exactis, a Palm Coast, Fla.-based marketing and data-aggregation company, had exposed a database containing almost 2 terabytes of data, containing nearly 340 million individual records, on a public server. That included records of 230 million consumers and 110 million businesses.
“It seems like this is a database with pretty much every U.S. citizen in it,” security researcher Vinny Troia, who discovered the breach earlier this month, told Wired. “I don’t know where the data is coming from, but it’s one of the most comprehensive collections I’ve ever seen,” he said.
While the database apparently does not include credit-card numbers or Social Security numbers, it does include phone numbers, email and postal addresses as well as more than 400 personal characteristics, such as whether a person is a smoker, if they own a dog or cat, their religion and a multitude of personal interests.
Even though no financial information was included, the breadth of personal data could make it possible to profile individuals or help scammers steal identities.
Troia told Wired that he was easily able to access the database on the internet, and in theory, plenty of other people could have too. He said he warned Exactis and the FBI about the vulnerability, and the data is no longer publicly accessible.
On its website, Exactis said it maintained 3.5 billion consumer, business and digital records, including “demographic, geographic, firmographic, lifestyle, interests, CPG, automotive, and behavioral data.” The company said it has data on 218 million individuals and 110 million U.S. households.
There are about 325 million residents in the U.S., with about 244 million adults and 126 million households, according to the U.S. Census Bureau.
Exactis did not immediately respond when asked to confirm the breach.
If confirmed, the data leak would be one of the largest in history, and far bigger than the Equifax data breach last year that exposed the personal information of about 148 million consumers.
While technically not a breach, Facebook Inc. FB, -0.43% said in March that most of its 2 billion users had their personal data “improperly shared” without their permission, including about 87 million profiles that were scraped by Cambridge Analytica.