www.troyhunt.com Open in urlscan Pro
2606:4700::6812:1829  Public Scan

Form analysis
1 forms found in the DOM

Name: subscribe_form —

<form name="subscribe_form" id="subscribe_form">
  <div id="new_subscription">
    <div id="subscribe_unsuccessful"></div>
    <p> Send new blog posts:<br>
    </p>
    <div class="radio_button_group"><input type="radio" name="email_cadence" id="Daily" value="Daily" checked=""> <label for="Daily">daily</label></div>
    <div class="radio_button_group"><input type="radio" name="email_cadence" id="Weekly" value="Weekly"> <label for="Weekly">weekly</label></div>
    <p></p>
    <input type="email" value="" name="email_to_subscribe" id="email_to_subscribe" placeholder="email address" required="">
    <input type="submit" value="go!" id="submit_subscribe">
  </div>
  <div id="confirm_captcha">
    <p>Hey, just quickly confirm you're not a robot:</p>
  </div>
  <div id="subscribe_loading">
    <p><i class="fa fa-cog fa-spin" aria-hidden="true"></i> Submitting...</p>
  </div>
  <div id="subscribe_successful">
    <p>Got it! Check your email, click the confirmation link I just sent you and we're done.</p>
  </div>
</form>

Text Content

Mastodon
 * Home
 * Workshops
 * Speaking
 * Media
 * About
 * Contact
 * Sponsor

 * 
 * 
 * 
 * 
 * 

Sponsored by: 1Password Extended Access Management: Secure every sign-in for
every app on every device.




INSIDE THE DEMANDSCIENCE BY PURE INCUBATION DATA BREACH

 * 
 * 
 * 
 * 
 * 

13 November 2024

Apparently, before a child reaches the age of 13, advertisers will have gathered
more 72 million data points on them. I knew I'd seen a metric about this
sometime recently, so I went looking for "7,000", which perfectly illustrates
how unaware we are of the extent of data collection on all of us. I started Have
I Been Pwned (HIBP) in the first place because I was surprised at where my data
had turned up in breaches. 11 years and 14 billion breached records later, I'm
still surprised!

Jason (not his real name) was also recently surprised at where his data had
appeared. He found it in a breach of a service called "Pure Incubation", a
company whose records had appeared on a popular hacking forum earlier this year:



When Jason found his email address and other info in this corpus, he had the
same question so many others do when their data turns up in a place they've
never heard of before - how? Why?! So, he asked them:

> I seem to have found my email in your data breach. I am interested in finding
> how my information ended up in your database.

To their credit, he got a very comprehensive answer, which I've included below:

Well, that answers the "how" part of the equation; they've aggregated data from
public sources. And the "why" part? It's the old "data is the new oil" analogy
that recognises how valuable our info is, and as such, there's a market for it.
There are lots of terms used to describe what DemandScience does, including "B2B
demand generation", "buyer intelligence solutions provider", "empowering
technology companies to accelerate ROI", "supercharging pipelines" and "account
intelligence". Or, to put it in a more lay-person-friendly fashion, they sell
data on people.

DemandScience is what we refer to as a "data aggregator" in that they combine
identity data from multiple locations, bundle it up, and then sell it.
Occasionally, data aggregators end up having sizeable data breaches; before
today, HIBP already contained Adapt (9M records), Data & Leads (44M records),
Exactis (132M records), Factual (2M records), and You've Been Scraped (66M
records). According to DemandScience, "none of our current operational systems
were exploited", yet simultaneously, "the leaked data originated from a system
that has been decommissioned". So, it's a breach of an old system.

Does it matter? I mean, if it's just public data, should people care? Jason
cared, at least enough to make the original enquiry and for DemandScience to
look him up and realise he's not in their current database. Still, he existed in
the breached one (I later sent Jason his record from the breach, and he
confirmed the accuracy). As I often do in these cases, I reached out to a bunch
of recent HIBP subscribers in the breach and asked them three simple questions:

 1. Is the data about you accurate and if not, which bits are wrong?
 2. Is this data you would consider to be in the public domain already?
 3. Would you expect to be notified about your data being used in this fashion,
    and consequently appearing a breach?

The answers were all the same: the data is accurate, it's already in the public
domain, and people aren't too concerned about it appearing in this breach. Well
that was easy 🙂 However...

There are two nuances that aren't captured here, and the first one is that this
is valuable data, that's why DemandScience sells it! It comes back to that "new
oil" analogy and if you have enough of it, you can charge good money for it.
Companies typically use data such as this to do precisely the sort of
catchphrasey stuff the company talks about, primarily around maximising revenue
from their customers by understanding them better.

The second nuance is that whilst this data may already be in the public domain,
did the owners of it expect it to be used in this fashion? For example, if you
publish your details in a business directory, is your expectation that this info
may then be sold to other companies to help them upsell you on their products?
Probably not. And if, like many of the records in the data, someone's row is
accompanied by their LinkedIn profile, would they expect that data to matched
and sold? I suggest the responses would likely be split here, and that in itself
is an important observation: how we view the sensitivity of our data and the
impact of it being exposed (whether personal or business) is extremely personal.
Some people take the view of "I have nothing to hide", whilst others become
irate if even just their email address is exposed.

Whilst considering how to add more insights to this blog post, I thought I'd do
a quick check on just one more email address:

"54543060",,"0","TROY","HUNT","PO BOX 57",,"WEST RYDE",,,"AU","61298503333",,,,"troy.hunt@pfizer.com","pfizer.com","PFIZER INC",,"250-499","$50 - 99 Million","Healthcare, Pharmaceuticals and Biotech","VICE PRESIDENT OF INFORMATION TECHNOLOGY","VP Level","2834",,"Senior Management (SVP/GM/Director)","IT",,"1","GemsTarget INTL","GEMSTARGET_INTL_648K_10.17.18",,,,,,,,,"18/10/2018 05:12:39","5/10/2021 16:47:56","PFIZER.COM",,,,,"IT Management General","Information Technology"


I'll be entirely transparent and honest here - my exact words after finding this
were "motherfucker!" True story, told uncensored here because I want to impress
on the audience how I feel when my data turns up somewhere publicly. And I do
feel like it's "my" data; it's certainly my name and even though it's my old
Pfizer email address I've not used for almost a decade now, that also has my
name in it. My job title is also there... and it's completely wrong! I never had
a VP-level role, even though the other data around my tech role is at least in
the vicinity of being correct. But other than the initial shock of finding
myself in yet another data breach, personally, I'm in the same boat as the HIBP
subscribers I contacted, and this doesn't bother me too much. But I also agree
with the following responses I received to my third question:

> I think it is useful to be notified of such breaches, even if it is just to
> confirm no sensitive data has been compromised. As I said, our IT department
> recently notified me that some of my data was leaked and a pre-emptive
> password reset was enforced as they didn't know what was leaked. 

> It would be good to see it as an informational notification in case there's an
> increase in attack attempts against my email address.

> I would like to opt-out of here to reduce the SPAM and Phishing emails.

That last one seems perfectly reasonable, and fortunately, DemandScience does
have a link on their website to Do Not Sell My Information:

Dammit! If, like me, you're part of the 99.5% of the world that doesn't live in
California, then apparently this form isn't for you. However, they do list
dataprivacy@demandscience.com on that page, which is the same address Jason was
communicating with above. Chances are, if you want to remove your data then
that's where to start.

There were almost 122M unique email addresses in this corpus and those have now
been added to HIBP. Treat this as informational; I suspect that for most people,
it won't bother them, whilst others will ask for their data not to be sold
(regardless of where they live in the world). But in all likelihood, there will
be more than a handful of domain subscribers who take issue with that volume of
people data sitting there in one corpus easily downloadable via a clear web
hacking forum. For example, mine was just one of many tens of thousands of
Pfizer email addresses, and that sort of thing is going to raise the ire of some
folks in corporate infosec capacities.

One last comment: there was a story published earlier this year titled Our
Investigation of the Pure Incubation Ventures Leak and in there they refer to
"encrypted passwords" being present in the data. Many of the files do contain a
column with bcrypt hashes (which is definitely not encryption), but given the
way in which this data was collated, I can see no evidence whatsoever that these
are password hashes. As such, I haven't listed "Passwords" as one of the
compromised data classes in HIBP and you find yourself in this breach, I
wouldn't be at all worried about this.

Have I Been Pwned
Tweet Post Update Email RSS
Troy Hunt's Picture

TROY HUNT

Hi, I'm Troy Hunt, I write this blog, create courses for Pluralsight and am a
Microsoft Regional Director and MVP who travels the world speaking at events and
training technology professionals





Please enable JavaScript to view the comments powered by Disqus.

TROY HUNT

Hi, I'm Troy Hunt, I write this blog, run "Have I Been Pwned" and am a Microsoft
Regional Director and MVP who travels the world speaking at events and training
technology professionals

UPCOMING EVENTS

I often run private workshops around these, here's upcoming events I'll be at:

 1. NDC Melbourne: 29 Apr to 1 May, Melbourne (Australia)

MUST READ

 * Data breach disclosure 101: How to succeed after you've failed
 * Data from connected CloudPets teddy bears leaked and ransomed, exposing kids'
   voice messages
 * Here's how I verify data breaches
 * When a nation is hacked: Understanding the ginormous Philippines data breach
 * How I optimised my life to make my job redundant

Don't have Pluralsight already? How about a 10 day free trial? That'll get you
access to thousands of courses amongst which are dozens of my own including:

 1.  OWASP Top 10 Web Application Security Risks for ASP.NET
 2.  What Every Developer Must Know About HTTPS
 3.  Hack Yourself First: How to go on the Cyber-Offense
 4.  The Information Security Big Picture
 5.  Ethical Hacking: Social Engineering
 6.  Modernizing Your Websites with Azure Platform as a Service
 7.  Introduction to Browser Security Headers
 8.  Ethical Hacking: SQL Injection
 9.  Web Security and the OWASP Top 10: The Big Picture
 10. Ethical Hacking: Hacking Web Applications

THIS IS ALREADY THE NEWEST POST!

WEEKLY UPDATE 425

Subscribe


SUBSCRIBE NOW!

Send new blog posts:


daily
weekly



Hey, just quickly confirm you're not a robot:

Submitting...

Got it! Check your email, click the confirmation link I just sent you and we're
done.

COPYRIGHT 2024, TROY HUNT

This work is licensed under a Creative Commons Attribution 4.0 International
License. In other words, share generously but provide attribution.

DISCLAIMER

Opinions expressed here are my own and may not reflect those of others. Unless
I'm quoting someone, they're just my own views.

PUBLISHED WITH GHOST

This site runs entirely on Ghost and is made possible thanks to their kind
support. Read more about why I chose to use Ghost.

 * 
 * 
 * 
 * 
 *