The Apollo Breach Included Billions of Data Points

[uptown]

"The sales intelligence firm firm Apollo sent a notice to its customers last week disclosing a data breach it suffered over the summer. "On discovery, we took immediate steps to remediate our systems and confirmed the issue could not lead to any future unauthorized access," cofounder and CEO Tim Zheng wrote. "We can appreciate that this situation may cause you concern and frustration." In fact, the scale and scope of the breach has a lot of people concerned."

Nice of them to notify their customers, but not the people whose data has been exposed. "Have I Been Pwned" alerted me.

[IceyEC]

I didn't even know who Apollo was until I got that email

[fooey]

I still haven't figured out who they are, but my email account that was compromised was made specifically for Heroku.

Thanks to haveibeenpwned.com for the heads up.

[regecks]

The one that I got a hit for was made specifically for New Relic.

Is this some kind of sales platform or what? It's so tiresome to have your email become the town bike the moment any SaaS gets their hands on it.

[fooey]

I had a NewRelic account via Heroku, so that's a link for me too

[jonny_eh]

Maybe NewRelic is a customer and Apollo slurped up all their Salesforce contacts (aka NewRelic users)?

[lededje]

The email that was breached of mine was from hired.com. Similar situation vis-a-vis not being told

[icebraining]

Mine was an account for Plivo.

[ehPReth]

Plivo here as well

[shady-lady]

Apollo, formerly known as ZenProspect, YC Winter 2016 class.

Unlikely they're not active on HN. Maybe they could elaborate on how this happened.

Wonder how hard GDPR fines are going to hit them.

also only notified by haveibeenpwned

[syncerr]

Apollo has a page on how to have your data removed. Simply request it by emailing support@apollo.io or remove@apollo.io.

https://www.apollo.io/legal

[abricot]

Too late.

[wl]

My work contact information has been in the Apollo, Exactis, and NetProspex breaches. I have no idea how my information ever got in these databases. Have I been pwned sent the only notifications I got about these breaches. Does anyone maintain a list of these services I can preemptively get my information removed from?

[jaclaz]

I may be missing something, but the net effect of this kind of breach is seemingly not that (like the case of a data breach of a "single" company user database) of having "reserved" data (that only the company had and that was given to it with an expectation in good faith by the user to keep it safe) in the hands of someone else, it is more like having data that was already available to anyone for a fee in the hands of someone that didn't pay that fee.

[throwawaylolx]

Can I check what data Apollo had on me?

[mattlondon]

If you are a EU citizen then GDPR should allow you to request it since they are clearly operating in the EU if you are from the EU and got notified.

Email them and say that you are making a GDPR subject access request. They have 30 days to respond.

[raggi]

I once ran a social media marketing organization where we were very good about not scraping data outside of the terms and conditions of the networks we interacted with.

In so many of these breaches we're seeing cases where these analytics firms have data scraped from networks that is well in violation of terms - not mistakenly, but wanton disregard for data usage policies of those networks.

Why is nothing ever done about that?

[Latteland]

we need gdpr in the us

[lostmsu]

In all these breaches I wonder if the data ends up public. Might serve good to sciences.

[sushid]

It has peoples names, phone numbers, job titles, and current places of employment. I don't see how that level of compromise is good for the sciences.

[lostmsu]

With that kind of info you could compute various societal statistics on occupation. Including, for example, being able to see if any large company has minorities underrepresented in higher-level positions.