Two Huge, Scary, Unique Data Breaches that Will Affect You Personally

What Happened

Back in November, two of the largest data breaches ever occurred, but despite being headline news, many people outside the security industry failed to notice because they simply did not recognize the brand names associated with the breaches — People Data Labs and Oxydata, two large market research firms.

The unique aspect of these data breaches was the actual data stolen. The breaches did NOT include social security numbers, credit card and banking account numbers, addresses, or passwords. Instead, it included information on up to 1.5 billion people including over “a billion personal email addresses, more than 420 million LinkedIn URLs, more than a billion Facebook URLs and IDs, and more than 400 million phone numbers” per Wired. Forbes notes that People Data Labs bills themselves as the “source of truth for person data” and has “unparalleled coverage across over 150 data points” while Oxydata has aggregated data on over 380 million people and 14 million companies.

These two companies scour the public domain online and gather all of your information to sell to companies and advertising firms to market you. This type of market research is legal, highly unregulated, and a normal part of the advertising/marketing industry. However, this information in the wrong hands goes far beyond the creepy factor where you see an ad on Facebook of a product you just looked at on Amazon.

The Scary Part

Most people know phishing is a common tactic hackers use where they send millions of emails to random email addresses hoping unsuspecting people will click on a link. Phishing is a numbers game where a .01% click rate on 10,000,000 emails still nets them 10,000 clicks where they can quietly install a ransomware virus onto your machine or trick you into providing your email login credentials.

The more specific form of phishing is called “spear-phishing” where cybercriminals research the target and send a highly tailored email to the target, generally a business executive, wealthy individual, or someone with access to confidential data like an HR director. Because the message is customized, their percentage of clicking is much higher than .01% and they know the target has access to something they want.

After these two breaches, hackers now have 150 data points on over 1 billion people, including 260 million Americans, at their fingertips. How do we know cybercriminals have this information? This week, we’ve gotten over 500 alerts that our clients’ information was found on the Dark Web related to the People Data Labs and Oxydata breaches.

What Will Cybercriminals Do With Your Personal Information?

We expect cybercriminals will do the following tactics with this highly detailed data about you:

• Highly Specific Spear Phishing Emails – They know a lot about you including your favorite sports teams, family members, pets, buying habits, and more so you could likely get an email for a free bandana for your poodle with your favorite collegiate team’s logo and they’ll have it shipped to you in time for your birthday.
• Impersonate Your Friends – Another common tactic is to impersonate someone by cloning their online accounts like Facebook. You’ve probably seen friends post on Facebook that their accounts were hacked and to not accept new friend invites from them. They weren’t actually hacked, someone is spoofing them to connect with the same people in order to trick them into giving them personal information. Since they have a lot of personal information from these breaches, they may want to fill in some key information or phish your connections via social media channels.
• Guess Your Password – If a hacker knows your favorite sports team, where you went to school, the street you grew up on, and your pets’ names, they probably have more than a 50/50 shot to guess your password. (By the way, changing “tigers” to “T!gers” makes it more secure from password crackers, but hackers know those tricks too and will try deviations of passwords they think you use.)

What Can You Do To Protect Yourself

Unfortunately, you cannot delete information off the internet, especially if it is on the Dark Web already.

You need to stay vigilant and confirm suspicious emails, especially from people you know randomly asking for data like account numbers, personal information, or for you to do something like buying gift cards. Look at details like the email came from an email outside your company email and the hackers just added an “s” to your domain name.

Change your passwords to something complex that has lowercase and uppercase letters, numbers, special characters, and is at least 8 characters, if not 12 characters long. We also recommend not reusing passwords, in particular, never use the same password as your personal or company email.

Always utilize two-factor authentication where available, especially on your email, financial, and social media accounts.

You can also utilize identity theft monitoring to quickly alert if something looks suspicious or if your identity has been stolen. These services will also help you much faster and thoroughly than you can do alone.

Unfortunately, we live in a world with cybercriminals and we must stay diligent to protect ourselves, our family & friends, our companies, and our clients. Although these two breaches did not include sensitive information like passwords and social security numbers, the data stolen adds a whole new level of sophistication and personalization to a hacker’s arsenal.

If you’re concerned about your company’s cybersecurity, please reach out to us and let’s discuss how we can better secure your data, train your team, and protect your company. We can also run your company’s domain name in our Dark Web database for free so you can see if you have passwords and personal information already accessible to cybercriminals.