Unknown Database leak of 90 GB contains data of 22 Million users


Unknown Database breach contains 22 million user data

The unknown database with 90 GB of data contained user details like addresses, phone numbers, and social media links. It is yet to be discovered who belongs to this unknown database.

Troy Hunt has explained about this data in his blog. Troy Hunt also runs a website “Have I been Pwned” which lets you check whether their personal data has been compromised by data breaches.

I was reticent to write this blog post because it leaves a lot of questions unanswered, questions that we should be able to answer. It’s about a data breach with almost 90GB of personal information in it across tens of millions of records – including mine. Here’s what I know:

Back in Feb, Dehashed reached out to me with a massive trove of data that had been left exposed on a major cloud provider via a publicly accessible Elasticsearch instance. It contained 103,150,616 rows in total, the first 30 of which look like this

Troy Hunt said

Unkown Database

[Source: Troy Hunt]

Troy names the database “db8151dd” as the data lines start with it. The database contains data from public sources and is mostly scrapable. The database also contains Troy’s almost all social media data and also his phone number.

It’s mostly scrapable data from public sources, albeit with some key differences. Firstly, my phone number is not usually exposed and that was in there in full. Yes, there are many places that (obviously) have it, but this isn’t a scrape from, say, a public LinkedIn page. Next, my record was immediately next to someone else I’ve interacted with in the past as though the data source understood the association. I found that highly unusual as it wasn’t someone I’d expect to see a strong association with and I couldn’t see any other similar folks.

Troy added

The data present on that database comes from customer relationship management (CRM) systems, as it’s some kind of aggregated data from a number of sources. However, until now there is no one was has identified or claimed the database.

Troy also tweeted “If I have a MASSIVE spam list full of personal data being sold to spammers, should I load it into @haveibeenpwned?” with a yes or no poll, which ended up 85% towards yes and 15% towards no until now

You can check wheater any of your data is been breached on “Have I Been Pwned?


About Author

Be Ready for the challenge

Notify of
Inline Feedbacks
View all comments