Data broker amasses 100M+ records on people – then someone snatches, sells it

What's claimed to be more than 183 million records of people's contact details and employment info has been stolen or otherwise obtained from a data broker and put up for sale by a miscreant.

The underworld merchant, using the handle KryptonZambie, has put a $6,000 price tag on the information in a cybercrime forum posting. They are offering 100,000 records as a sample for interested buyers, and claim the data as a whole includes people's corporate email addresses, physical addresses, phone numbers, names of employers, job titles, and links to LinkedIn and other social media profiles.

We believe this information is already publicly available, and was gathered up by a data-broker called Pure Incubation, now called DemandScience. That biz told us it was aware of its data being put up for sale, and sought to clarify what had been obtained – business-related contact details that are already out there.

"It is also important to note that we process publicly available business contact information, and do not collect, store, or process consumer data or any type of credential information or sensitive personal information including accounts, passwords, home addresses or other personal, non-business information," a DemandScience spokesperson said in an email to The Register.

Seems to us this is the circle of data brokerage life. One org scraps a load of info from the internet to profit from, someone else comes along and gets that info one way or another to profit from, sells it to others to profit from...

Here's the rest of the company's statement, in which it tells us it doesn't for now think the info was obtained directly from its systems in an IT security breach:

DemandScience claims to "generate leads for a future-proof sales and marketing funnel," all of which is marketing jargon for: We scrape people's publicly available identifiers and other data from a variety of sources, bundle it up nicely, and sell it to companies that then use it to target you in advertising campaigns. 

In other words: It's a data broker, which means, if you are lucky enough to live in California, at least, you can opt out of DemandScience selling your data.

Have I Been Pwned spotted the data dump for sale, and added it to its list of security incidents on Wednesday. The info went on sale around February, it seems, and the data thieves are flogging at least 122 million unique email addresses scooped up by Pure Incubation.

In a subsequent report by HIBP founder and Microsoft regional director Troy Hunt, which includes a screenshot of an email from DemandScience – sent to someone whose info was in the data peddled by KryptonZambie – that blamed the leak on a "system that has been decommissioned for approximately two years."

Infosec watcher HackManac also sounded the alarm with a screenshot of the miscreant's forum posting, in which KryptonZambie claimed 183,745,481 records are up for grabs. We should note: Neither HackManac nor The Register has verified these claims.

After coming across the pile of data for sale, and hearing from someone whose personal information was swept up in the affair, Hunt said he decided to check whether his own info was included. He did find a decade-old email address and an incorrect job title.

"I'll be entirely transparent and honest here - my exact words after finding this were 'motherfucker!' True story, told uncensored here because I want to impress on the audience how I feel when my data turns up somewhere publicly," Hunt wrote.

We couldn't have said it any better ourselves. ®