A MASSIVE CORPORATE DATABASE has leaked online, exposing the contact details over 33.7 million employees in the United States.
The leaked database weighs in at 52.2GB, and according to ZDNet comes via business services firm Dun & Bradstreet, which sells it to marketers that send targeted email campaigns.
Troy Hunt, who runs the website Have I Been Pwned, got his mitts on the database, which he likened to the recent breach on dodgy toy maker CloudPets.
After examining the data, Hunt has revealed that the data dump contains details belonging exclusively to US-based companies and government agencies. California is the most represented demographic with over four million records, followed by New York with 2.7 million records and Texas with 2.6 million records.
The leading organisation by records is the Department of Defense, with 101,013 personnel records exposed in the dump. It is followed by the United States Postal Service (USPS) with 88,153 leaked employee records and AT&T with 67,382.
Other firms affected by the leak includes CVS with 40,739 records, Citigroup with 35,292 and IBM with 33,412.
The database contains dozens of fields, some including personal information such as names, job titles and functions, work email addresses, and phone numbers.
While the database doesn't contain more sensitive information, such as credit card numbers or SSNs, Hunt says it's an "absolute goldmine for targeted spear phishing."
"From this data, you can piece together organisational structures and tailor messaging to create an air of authenticity and that's something that's attractive to crooks and nation-state actors alike," he said.
"I often work with companies attempting to mitigate the damage of their organisational data being publicly exposed (frequently due to data breaches), and I can confidently say that knowing this information is out there circulating would concern many of them."
Dun & Bradstreet has denied responsibility for the leak and said it could have come from come from any of its thousands of clients.
"Based on our analysis, it is our determination that there has been no exposure of sensitive personal information from, and no infiltration of our system. The information in question is data typically found on a business card.
"As general practice, Dun & Bradstreet uses an agile security process and evaluates and evolves security controls to protect the integrity of our data," a spokesperson told the INQUIRER. µ
Is restoring from backup really the better than prevention?
Allowed anyone to pinpoint locations visited by customers of SVR Tracking
Hackers gained access to systems using unsecured administrator's account
But Canonical's Mark Shuttleworth doesn't agree