Data aggregator leaks 9.3m people’s personal information

Security researchers have discovered an unsecured database containing the contact information of more than 9.3 million people, including email addresses, phone numbers, social media data and more.

The latest data exposure comes courtesy of Adapt.io, a company which offers sales and marketing professionals access to a database of (according to the company's website) 37 million business contacts, including 2.7 million C-level and 3.8 million vice-president and director-level contacts.

The unsecured database was initially discovered by security researcher and director of cyber risk research for Hacken, Bob Diachenko, who found a publicly-accessible MongoDB database with no access controls. The database contained 123GB of data on the names, job titles, employers, phone numbers, email addresses, physical addresses and social media profiles of 9.3 million people.

Diachenko initially discovered the data protection problem on 5 November. Hacken contacted the company to disclose the data leak, but so far has received no response from the company.

In its privacy policy, Adapt claims that it "takes precautions, including appropriate administrative, technical and physical measures, to protect Data About Customers against loss, theft and misuse, as well as unauthorized access, disclosure, alteration and destruction".

It also asserts that the company "uses reasonable security controls to protect Business Contact Information" - a claim which would appear to be at odds with the fact that more than 100GB of that information was sitting in an unsecured, publicly-accessible database.

Individuals can check if their data is in the Adapt database by using this form, and can request that they be removed if so.