A major data breach involving DemandScience has exposed 122 million unique corporate email addresses, along with extensive business contact information.
The breached data, now available on a popular hacking forum, includes physical addresses, phone numbers, company names, job titles, and even LinkedIn profiles for many individuals. Initially posted earlier this year, the breach has been attributed to a legacy system that had been decommissioned before the leak occurred.
CyberInsider
DemandScience, a data aggregator and business intelligence provider owned by Pure Incubation, is known for compiling and selling data to help companies better target potential clients. The breach has left many individuals questioning how their data was collected and why it was included in a DemandScience database without their knowledge.
Troy Hunt, the founder of “Have I Been Pwned” (HIBP), an online service that helps individuals check if their personal data has been compromised in data breaches, shared insights into the scale and implications of the breach. Hunt noted that while the data was public in nature — collected from sources accessible to anyone — many impacted users were unaware that their information had been aggregated, packaged, and distributed on this scale.
Implications of aggregated public data
The DemandScience breach has sparked new debate over the ethical considerations of data aggregation, particularly when data collected for one purpose is later used, or sold, in ways that individuals might not expect. While many impacted users contacted by Hunt noted that the exposed data was largely accurate and publicly available, the question remains whether they ever intended this information to be bought, sold, or associated with potential security threats.
In response to inquiries, DemandScience stated that “none of [its] current operational systems were exploited,” indicating that the leak originated from a now-decommissioned system. This raises questions about how data security measures should be applied even to outdated systems, given the continued vulnerability to leaks.
While some users may be indifferent to their public information appearing in a breach, others have expressed concerns over receiving an increase in spam, phishing attempts, and targeted advertising. Hunt received mixed feedback from users on whether or not they would expect notification when their data, public or not, appears in a breach, with several indicating a desire for better control over how their data is used and shared.
DemandScience has provided a “Do Not Sell My Information” form on its website, although it appears limited to California residents. This has added to concerns, with individuals outside the U.S. feeling they lack comparable means to control the distribution of their data.
Following the breach, HIBP has added the DemandScience data to its searchable database. Impacted individuals with accounts in HIBP will receive alerts, enabling them to take precautionary steps, such as monitoring their accounts for unusual activity and updating passwords if necessary.
U.S. Charges Snowflake Hacker With Multiple Cybercrime Offenses
Leave a Reply