Hacker News new | past | comments | ask | show | jobs | submit | page 2 login
Marketing Firm Exactis Leaked a Personal Info Database with 340M Records (wired.com)
429 points by georgecmu on June 29, 2018 | hide | past | favorite | 294 comments



Whats the big deal isn't this going to be same copy of data that was previously leaked in other leaks.

What new category of data is leaked in this?


Does anyone else feel like this could just be a kind of stunt pulled out of thin air described by "Trust me, I'm lieing"?


This is laughable. Data security is a fairy-tale. We've all been bought and sold and there is nothing any of us can do to fix it.


Erm, not opening up this fucking Elasticsearch instance to the entire internet would be a pretty easy way to get like 90% of the way there. I do operations. I can tell you exactly how not to make rookie mistakes like this. But security isn’t sexy, and it isn’t profitable, so it falls by the wayside.


The problem isn’t that these people are incompetent at network security (they are), the problem is that these people had your data to begin with. Data security is impossible because there is a massive shadow market for your entire life history and no amount of privacy setting theater will make up for the fact that your personal data is currently the target of an insatiable feeding frenzy.


> I do operations. I can tell you exactly how not to make rookie mistakes like this

But you guys are expensive and management can't tell what you do, so we invented devops to make the developers do it. It worked perfectly until it didn't.

Seriously though, as a dev with script kiddie levels of pen-testing skills it's amazing the amount of potential exploits out there. Even where I work with sensitive data it's assumed that the only attack vector is external.


Perhaps someone was paid to open the Elasticsearch to the entire internet so that the buyer could grab the data.


One common theme of all these companies is that they don't want to pay for good talent in security.


The problem is how they get those data and not how securely they are kept.


> they don't want to pay for good talent in security

To be fair, I'm not sure they made the wrong choice.



Would be good to get a copy of this database to search the details of top executives involved in privacy-violating companies and publish them.


Not likely


And... no one will go to jail.


If jail time was a real concern for owning data like this maybe fewer companies would exist owning such data. The he potential for people to use this to steal identities is too high I think


Who exactly should go to jail, and what would that help?

For all the do-something-ism in the world, doing "something" often amounts to making things worse, while allowing actual avenues for improvement to fester.


The CEOs of the company.

"Hey, you can get sent to jail for collecting and exposing personal information" would make a lot of people rethink their business models.


What will help?


Find a way to use the unique position of the operators of this database to assist those affected in preventing identity theft and other threats which are worsened by the leak. Maybe figure out if there is money out there to account for the cost of that.


So what are the odds someone at Exactis was paid off to loosen the access controls and provide relevant access info to the buyer?

A lot of people would probably do that for a chunk of money.

Starting to think that with databases like this, any configuration change that involves exposure to the internet should involve two company officers turning keys like in a nuclear missile launch.


"exposes" here is quite a strange term, because their entire business is selling that same data.

The only difference is that it was briefly available without a price tag.


That assumes they would sell to absolutely any group including terrorists, hate groups and sanctioned countries.

At least without the leak they have the option to refuse.


>That assumes they would sell to absolutely any group including terrorists, hate groups and sanctioned countries.

Shell companies and fronts are a great workaround for that.

How do you know who they sell to? And then, after it's been sold the first time, how do you know where the copies of that data are being sold to by the buyer?

Turtles all the way down.


You think they care beyond the colour of the money? Ha, welcome to capitalism my sweet Summer child.


Exactly! The only thing a "breach" changes is allowing us to actually see the files that Stasi 2.0 are keeping!

I'm much more worried about the persistent legally-blessed attacks against our decision making (eg advertising) and financial independence (eg price discrimination), than about receiving backscatter from uncoordinated randos defrauding banks et al. Banks who are responsible for much of this surveillance infrastructure in the first place.


Every American's DNA was leaked and a malicious AI bot is making a customized oncovirus for each if they visit Washington, D.C. "Oops, our bad. Here's a coupon half-off Tamiflu."

Externalities of data breaches keep increasing.


You should write a modern cyberpunk story!


Dick is my middle (nick)name, but my name isn't Philip K. Dick. I'd be turgidly-pressed to write anything comprehensible, much less worth reading. And I'm already starving, I'd have to lop off more than my ears to be a proper starving artist... oh wait, that didn't come out right. Nothing to see here, carry on.


All i'm saying is that i liked your short vision of a possible reality, and i'd love to read even a short story about it. Hell, i'd _write_ a short story about it, although i doubt my english is good enough for anything beyond simple small talk; i envy people with more imagination than i have. That being said, why are you starving, man? I've gone through some of your comments, and it seems you are having some sort of trouble with the mind parasites. I have no idea whether it is possible to pm on hn, but, should you need an anonymous ear, i've been told i am a good listener. Otherwise, i just want to tell you that if you put your mind to it, you will find the source of power inside of you with some help or without, and things are going to work out. Oh, and read mind parasites if you can - it has helped me with my depression quite a bit.


spoiler alert: nobody goes to jail.


In all seriousness, what law (in the US) has this company broken? I'm assuming all the data they got was somehow obtained through legal channels in the first place?

People may be up in arms about this being a "breach", but think about it: they're a "data brokerage" company. Consider this breach a sale price of $0. My point is what should be scary is that all of this data is bought and sold about all of us, all the time, in the first place.


Sadly, I think you're right. And in the end, this may just end up being great marketing for the data their selling.

Reminds me a startup that I used to work for a while back. We had hired a new hot-shot marketing VP. First thing he does is to purchase 'qualified leads' from some dubious data broker and trumpet how he had generated more leads in his first week than the company had over it's existence. Then the new hot-shot VP of sales hires a couple of inside-sales guys to call through this massive list with a script (which they probably bought from somewhere too since I don't recall recognizing our product from it) provided by new marketing VP.

This was a time when people still answered when someone called from unknown number. I remember chatting with the poor inside-sales guys who had to do the calling, and oh boy were they frustrated, but that was nothing compared to how badly the calling was received by people who got the calls.

I am pretty sure company got exactly zero sales out of that exercise and probably killed a few future deals too. But I am sure at least marketing VP met his KPIs.

Moral of the story: there are shady people out there that are more than happy to pay for all kinds of data sets.

I believe that as a society we should exert more control over our data, and companies selling it should be scrutinized, regulated and taxed for doing so.


Just because it’s legal doesn’t make it right. No, there is no law against this. That’s a problem, and it will continue to be a problem until it either affects enough CEOs or some Congressman’s kid gets screwed over by it. Until then we’re all going to be forced to clean up the messes ourselves.


I'm not saying it's right, but the original comment was basically complaining that no one will go to jail for this. People shouldn't go to jail for things that are subjectively "wrong" if they're not illegal.


Maybe libel?


Some US laws are too pro-corporations.


there is never any punishment for corporations.

death's too good for them.


What a shitty thing to say. Suggesting that death is a reasonable response to this is absurd.


A corporation dying is the equivalent of revoking their corporate charter, no reason to respond as though we're talking about actual people.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: