Biz & IT —

Breach exposes at least 58 million accounts, includes names, jobs, and more

With 2 months left, more than 2.2 billion records dumped so far in 2016.

Breach exposes at least 58 million accounts, includes names, jobs, and more

There has been yet another major data breach, this time exposing names, IP addresses, birth dates, e-mail addresses, vehicle data, and occupations of at least 58 million subscribers, researchers said.

The trove was mined from a poorly secured database and then published and later removed at least three times over the past week, according to this analysis from security firm Risk Based Security. Based on conversations with a Twitter user who first published links to the leaked data, the researchers believe the data was stored on servers belonging to Modern Business Solutions, a company that provides data storage and database hosting services.

Shortly after researchers contacted Modern Business Solutions, the leaky database was secured, but the researchers said they never received a response from anyone at the firm, which claims to be located in Austin, Texas. Officials with Modern Business Solutions didn't respond to several messages Ars left seeking comment and additional details.

Risk Based Security said the actual number of exposed records may be almost 260 million. The company based this possibility on an update researchers received from the Twitter user who originally reported the leak. The update claimed the discovery of an additional table that contained 258 million rows of personal data. By the time the update came, however, the database had already been secured, and Risk Based Security was unable to confirm the claim. The official tally cited Wednesday by breach notification service Have I Been Pwned? is 58.8 million accounts. In all, the breach resulted in 34,000 notifications being sent to Have I Been Pwned? users monitoring e-mail addresses and 3,000 users monitoring domains.

According to Risk Based Security, the account information was compiled using the open source MongoDB database application. The researchers believe the unsecured data was first spotted using the Shodan search engine. The publication of the data happened when a party that first identified the leak shared it with friends rather than privately reporting it to Modern Business Solutions.

By the tally of Risk Based Security, there have been 2,928 publicly disclosed data breaches so far in 2016 that have exposed more than 2.2 billion records. The figures provide a stark reminder of why it's usually a good idea to omit or falsify as much requested data as possible when registering with both online and offline services. It's also a good idea to use a password manager, although this leak was unusual in that it didn't contain any form of user password, most likely because the data was being stored on behalf of one or more other services.

Channel Ars Technica