A single, mysterious server exposed 1.2 billion user records

No one knows who owns the Google Cloud drive that exposed 1.2 billion user records, seemingly merged from data-brokers like People Data Labs and Oxydata, who may have simply sold the data to a customer that performed the merge operation and then stuck the resulting files on an unprotected server, which was discovered in October by researcher Vinny Troia using Binaryedge and Shodan.


The data merges home and cell numbers, social media profiles, work histories and email addresses; as Troia says, "This is the first time I've seen all these social media profiles collected and merged with user profile information into a single database on this scale. From the perspective of an attacker, if the goal is to impersonate people or hijack their accounts, you have names, phone numbers, and associated account URLs. That's a lot of information in one place to get you started."


The brokers don't think they were breached. PDL founder Sean Thorne hypothesized that some of the data his company nonconsensually gathered on 1.5 billion people was sold to a normal customer who mishandled it and that is "their responsibility."

Oxydata exec Martynas Simanauskas said that while his company sells its nonconsensual dossiers on terms that require its customers to manage the data conservatively, "there is no way for us to enforce all of our clients to follow the best data protection practices and guidelines."


They're totally right about one thing: once you gather and sell this data, you can't control it — it's pluripotent, omnitoxic, and immortal. It's nuclear waste.

The thing they're wrong about is the wisdom of selling that pluripotent, omnitoxic, immortal toxic waste, given that they can't control it. The fact that they cheerfully admit that there's no way for them to ensure that the nonconsensual dossiers they've assembled won't be weaponized against their subjects (and the commonsense conclusion that these dossiers will be weaponized against their subjects) means that it is incredibly reckless, even sociopathic for these privacy profiteers to be in the business that they're in.


When we compose threat models for privacy breaches, we often assume that the adversary is someone rational: a supervillain with a long-term plan for committing their crimes and then getting away from them. But time and again, we see the actors behind privacy breaches are petty dum-dums, short-term-thinking idiots who literally can't be bothered to password protect their Google Cloud accounts.


You can deal with rational villains with deterrence. But short-term, impulsive idiots are not deterrable. They're like crackheads stealing motorcycle sparkplugs — unpredictable, irrational, and, basically, unstoppable.


"While the part of the database Vinny found presumably might be acquired from us or one of our customers, it has definitely not been leaked from our database," Simanauskas told WIRED. "We sign the agreements with all our clients that strictly forbids the data reselling and obliges them to ensure that all of the appropriate security measures are taken. However, there is no way for us to enforce all of our clients to follow the best data protection practices and guidelines. Judging from the data structure, it seems clear that the database found by Vinny is a work product of a third party, with entries generated from multiple different sources."

The fact that neither data broker could rule out the possibility that one of their customers mishandled their data speaks to the larger security and privacy issues inherent in the business of buying and selling data.


1.2 Billion Records Found Exposed Online in a Single Server [Lily Hay Newman/Wired]

(Image: RicHard-59, CC BY-SA, modified)