
Sales engagement startup Apollo says its massive contacts database was stolen - iamben
https://techcrunch.com/2018/10/01/apollo-contacts-data-breach/
======
gk1
The article talks about notifications and risks to _customers_ of Apollo, but
it's not the _customers '_ data that was stolen... It was that of 200 MILLION
people who probably never opted into having their contact information packaged
and sold to third parties.

~~~
r00fus
Waiting for GDPR. The information provided while not PII is still pretty
useful for say, social engineering.

One wonders how much the dataset would go for in the black market.

~~~
ironchef
Name and email are usually considered PII in most of the compliance world, no?

~~~
gumby
Does it apply if they are business contacts (business address/phone number)?
After all your company-issued phone isn't personal to you -- it identifies a
role ("the purchasing manager for foobartronix") and if you leave that number
will reach someone else.

I don't know how the "compliance world" treats, that but I bet it's a loophole
many many people are trying to squeeze through.

(I do actually consider it personal to you. And I am a fan of what GDPR is
trying to accomplish, in principle, but it's clear the law doesn't really work
yet).

~~~
kristianc
GDPR has a broader definition of PII than is used in the US, and includes any
data that can potentially be used to identify an individual (even IP address),
so it’s almost certain that it is within scope.

~~~
gumby
Here is the actual text of GDPR (there are many sites, hosted at .eu domains,
that claim to tell you what the legislation says, but why not read the
published law? (I chose English as HN is an English-language site):
[https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:32...](https://eur-
lex.europa.eu/legal-content/EN/TXT/?uri=celex:32016R0679) )

My read is that the text of the law doesn't apply to people acting on behalf
of a corporation, in their corporate persona (but this is why I linked to the
text itself and not someone else's interpretation. It's not that long).

The law talks about identifying a person in their personal sphere (doesn't
apply to being in your home; talks about ties to fundamental human rights,
genetic and health info, etc) or things like credit approval, and many many
many exceptions for "national security" an "legal" uses. It clearly _does_
apply to what your employer knows about you!

Normally I hate these kind of hair-splitting "gotcha" cases I write up below,
so I feel weird typing them. But the economic value is so high and frankly
some of the the use, and abuse, cases so clear, I wonder. It's still early
days for GDPR so these questions are, at the moment, rhetorical.

Here's an example: part (26) says, "The principles of data protection should
apply to any information concerning an identified or identifiable natural
person." But if I call a company the telephone receptionist will answer and I
will know I can reach them by calling that number. If they have three I know I
can reach the one I want to by calling repeatedly. Yet you don't want to
prevent publication of company phone numbers (and what about suppressing them
until the receptionist leaves -- that leaks personal info too). (the section
is actually about pseudonymisation BTW).

Likewise per your example of IP addresses (in 30) If a company uses NAT then
the company's IP address does not identify any single person, though it could
be presumed to identify a particular subset. (adding IP address to other info
could ID one person, and that is covered in 30)

------
avitzurel
This smells like someone leaving a DB open to the world (remember the old
MongoDB open by default?)

I think stealing a whole database raises very serious questions as to how
technically this was done and how would you prevent this at your company.

Unfortunately "transparency first" aside, companies don't usually release this
information which leaves us all wondering how we can better protect our users
(outside of having sane defaults, closed by default, no ssh, private networks
etc...).

~~~
thefounder
You would be surprised to find out how many large companies(i.e top 500) lost
theier databases, banks included. Many can be googled but most never made it
public or didn't even know what happened to them. Chances are that your
contact data has been leaked by several parties already. My conclusion is that
you can't secure data unless you make a goal of that and even then it's not a
sure thing. All your private networks have multiple public entery points and
possibly a coordinator(i.e kubernetes admin). Most ecommerce companies and
even payment processing companies think of security as an accessory to their
business not a primary concern. If they are too focused on security they loose
market share(i.e the vetting takes too much time) The only solution is to
consider all unencrypted data public and use encryption at the client
level(i.e mobile device).

~~~
fogetti
That's why the EU introduced GDPR. So you are legally responsible (and the
fines can be pretty steep) if you 'forget' to make the breach public.

------
blantonl
So is this must be the database that hundreds of relentless SAAS Sales Reps
use to send me emails like " _Hi there, wanted to bubble this up in your inbox
and see if you 'd be interested in a convo about your site and how we can
increase xxx% revenue with our yyyy solution_"

~~~
JunkDNA
Oh you just wait! If you haven't gotten one of these yet, the latest version
of this is that they actually send a calendar invitation (through a 3rd party
service) for a meeting out of the blue. Gmail will helpfully pencil that time
in on your calendar automatically until you go in and delete the event. This
prevents legit meetings from being scheduled since people are afraid you have
some important sales call. If you're absent minded and click "No" to your
RSVP, they know you saw it! Blech!

~~~
browsercoin
ah the "we are drowning in product market fit, so don't pass up this
opportunity we are giving you"

------
i_am_nomad
These articles are always a little frustrating, especially to those of us who
aren't familiar with data management on that scale. For example, how was the
breach carried out? How did the company know it occurred? Was there something
the company should have done, but didn't?

I understand why those details don't make it into the media, but it's hard not
to be curious about it.

~~~
user111233
It's probably kept secret because if we knew how easy it was to steal their
data that would be bad for their image. Most companies have little to no
security other than "no one will think to request this url". Could be a past
or present employee who knows all the unprotected systems and wanted to make
some extra money selling the data.

------
koolba
> Apollo’s database contains publicly available data, including names, job
> titles, employers, social media handles, phone numbers and _email
> addresses_. It doesn’t include Social Security numbers, financial data or
> _email addresses_ and passwords, Apollo said.

Eh? So are email addresses included or not? They’re listed in both categories.

~~~
wutbrodo
Based on the grammatical structure of the second sentence, it sounds like
they're [email,password] pairs weren't lost, while emails alone may have been.

~~~
farnsworth
That's a weird way to say it, it almost seems to imply that a list of
passwords was lost, but the passwords aren't associated with emails.

~~~
wutbrodo
Yea agreed, very poorly phrased.

------
frereubu
Can someone with more experience of these things tell me how these breaches
are discovered, and how they know what information was taken? I presume it's
not an exact science.

~~~
adanto6840
Not overly experienced with this, but years ago we used to add honeypot email
addresses to our databases for a super simple & cheap way to at least get an
idea of whether data had been exfiltrated. If you add a new email once a month
you can get some 'timing' info, and then could start comparing against logs.

~~~
GaryNumanVevo
that's actually pretty clever!

------
ajsharp
"The email said that company said the breach was discovered weeks after system
upgrades in July."

Wow. They emailed customers but made no public announcement that people's
email addresses and personal info had been stolen and now available on the
black market.

This is absolutely atrocious incident management and disclosure. I smell a
lawsuit, possibly from the state or federal government.

------
yoaviram
If you want to do something about this (and other) negligible organizations,
head over to [https://opt-out.eu](https://opt-out.eu), search for Apollo, and
the site will generate a GDPR erasure request that you can send. Disclaimer:
I'm one of the site's creators.

~~~
coaxial
Thank you, that was useful.

------
adjkant
> Apollo’s database contains publicly available data, including names, job
> titles, employers, social media handles, phone numbers and email addresses.
> It doesn’t include Social Security numbers, financial data or email
> addresses and passwords, Apollo said.

So I guess email addresses are a nullable field?

~~~
isalmon
My theory is (I work in this space): \- Contact database was stolen \- User
database with emails+passwords was not

Basically it's about the emails that they were scraping / guessing, not their
users' emails.

------
tonyquart
I have just read an article that might be useful for everyone who has received
multiple calls from legit businesses at
[http://www.whycall.me/news/my-4500-payday-from-a-
telemarkete...](http://www.whycall.me/news/my-4500-payday-from-a-
telemarketer/). It's quite difficult, but I think if we could win against
those telemarketers, it will feel really good.

------
backspace_
I am curious how the database was stolen. Did the person(s) who accessed the
db delete the database afterwards or did they simply make a copy?

~~~
munk-a
Ideally yes? It'd be nice to know the people who were so irresponsible with
PII data ended up losing it...

------
aphroz
Isn't that data freely available already on their website ? It looks like you
can get full name, company, position just by creating a free account. Maybe
they just scrapped it.

------
andrewstuart
How? I want to know so I can try to avoid doing something similar.

------
anigbrowl
How much does data like this trade for on the black market, and do vendors
tend to partition it or just pursue quick turnover?

