Explore Talent Exposes 11.4M User Records in Latest API Flaw Lapse

An API flaw in Explore Talent, a well-known online talent network, has resulted in the exposure of the personal records of 11.4 million users, with 8.9 million unique email addresses now added to the Have I Been Pwned (HIBP) database.

The breach, confirmed to have occurred on August 15, 2024, was discovered during an in-depth investigation by Crimew and Fae into Tracki, a GPS tracking company. The investigation revealed that Tracki and several other companies, including Explore Talent, were part of a secretive conglomerate linked to Ami Shafrir, a businessman with a controversial history in various industries, including online talent networks and GPS tracking. Tracki also exposed 372,557 accounts which have been added onto HIBP's database now, including full names and email addresses.

Explore Talent, founded in the early 2000s, markets itself as a platform for aspiring actors, models, and musicians to connect with casting directors and land roles in the entertainment industry. However, its reputation has been marred by allegations of misleading practices, with many users claiming that the platform fails to deliver on its promises, despite charging nearly $290 annually for its “PRO” membership.

The vulnerability in Explore Talent's API, exploited in this breach, allowed unauthorized access to vast amounts of user data, including email addresses, names, phone numbers, and home addresses. This exposure highlights ongoing security issues within the company, as it follows a previous, unreported breach in 2022 where similar data was leaked online. Despite this, Explore Talent has consistently denied any breaches, assuring its users of their data's safety.

In July 2024, a data breach involving 5.4 million unique email addresses, along with names, phone numbers, and physical addresses, was posted on a popular hacking forum. The breach, which reportedly occurred between early 2022 and 2023, went unnoticed for over a year before it was finally disclosed. The compromised data from this breach was added to the Have I Been Pwned (HIBP) database on July 25, 2024.

Users of Explore Talent who have received HIBP’s breach alerts now are advised to change their passwords immediately, monitor their accounts for suspicious activity, and consider using multi-factor authentication wherever possible. This breach serves as a stark reminder of the importance of robust security practices, especially for companies handling sensitive user data.