An unprotected database was recently discovered online which contained over 16 terabytes of professional and corporate data, exposing more than four billion records worth of personal information. According to researchers working with Cybernews, this is one of the largest lead generation datasets to ever be uncovered on the open internet and it includes LinkedIn profiles and handles as well as other employment and personal details.
The other details mentioned include contract information, corporate relationships and employment histories from the detailed LinkedIn derived profiles. Some of the dataset collections exposed personal details such as full names, phone numbers, LinkedIn URLs and profile handles, position titles, employers, employment histories, education, degrees, certifications, location data, languages, skills, functions, social media accounts, image URLs (photos) and more.
The researchers believe this data was collected over the years and across multiple regions before being found in an unprotected MongoDB instance. MongoDB instances are often used by businesses to save time when collecting massive amounts of data, but if there is a single dataset left exposed it leaves the privacy of potentially millions of people at risk which is exactly what occurred with this one.
The discovery was made on November 23rd of this year, and though the instance's owner secured it two days later, it is unknown how long it was exposed for before it was found. The leak was likely a mistake due to human error, and is the type that often occurs when a database is left unsecured without proper authentication.
Cybernews' researchers said that this database instance was fully structured and probably composed of scraped professional and corporate intelligence data. Also, due to the structure of the database, it is believed that the data is up-to-date and accurate.
However, this is precisely the kind of error that attackers like to stumble across as it provides them with the perfect foundation from which to launch large scale automated attacks. It is easy to funnel this type of information into an LLM (large language model) to then send out millions of malicious emails to potential victims.
Attackers can also use the data to carry out targeted phishing attacks or social engineering attacks on employees at a corporation.
How to stay safe after a data leak
Just like with any other data breach or data leak, you'll want to focus on a security overhaul by making sure that your passwords are all updated – especially for any accounts involved in the breach. So in this case, your LinkedIn and email accounts as well as any other high-profile accounts like financial ones. Using one of the best password manager to generate and then store new, secure passwords for you will certainly make this easier.
You'll also want to keep an eye out for phishing attempts and social engineering attacks. As such, you'll want to be on alert for anyone sending texts, emails or even phone calls trying to get you to give out personal information or pressuring you to click on a link, download an attachment or app or go to a website.
Signing up for one of the best identity theft protection services is also never a bad idea, particularly because these services work best if they can watch out for your personal information ahead of time before an issue occurs.
Given that all of the information contained in this leak was likely publicly available, it's not illegal for companies to collect it. However, failing to secure a database of this size properly does have legal ramifications. I'll update this story when and if we learn more about why this data was collected in the first place and if anyone is going to be held accountable for the leak.
Follow Tom's Guide on Google News and add us as a preferred source to get our up-to-date news, analysis, and reviews in your feeds.
