em360tech image
Image Credit: WD Stock Photos | Adobe Stock

Stolen data of 122 million people has begun making rounds online without the consent of the data owners. 

In yet another data theft this year, DemandScience (formerly Pure Incubation), a B2B lead demand generation firm that collects data, was linked to a data breach involving millions of people’s business information.

Millions of people's stolen data, primarily business information, has been circulating online since February 2024. This included full names, physical addresses, email addresses, telephone numbers, job titles and functions, and social media links.

DemandScience main business model involves processing collecting, compiling, and organising data from public sources and in this case, third-party sources too. 

They then create a detailed dataset that can be used by digital marketers and advertisers to generate leads and marketing information.

As it turns out, KryptonZambie was the perpetrator who stole the unauthorised data from DemandScience and began leaking it online earlier this year.

Read: Amazon Confirms Employee Data Leak After Hacker Alleges MOVEit Breach

132.8 Million Records Began Leaking

According to Bleeping Computer, in February 2024, the threat actor began selling 132.8 million records on BreachForums, claiming they were stolen from an exposed system belonging to Pure Incubation.

Back then, the firm denied the data breach. During investigations, Bleeping Computer found leaked data and inquired DemandScience about its ownership.

Derek Beckwith, a senior director of corporate communications told them that upon receiving the post with leaked information, immediately kicked off their security protocols.

"Based on the post you forwarded from a black hat hacking crime forum, we immediately activated our security and incident response protocols,” he stated. 

"All our systems are 100% operational, and we have not found any indication that a hack or breach to any of our systems or data has occurred (all are secured behind firewall/VPN access/Access control/intrusion detection systems). We are continuing to monitor the situation, so it would not be appropriate to expand further at this point."

However, the situation seemed to have worsened by August 15, 2024, when KryptonZambie granted access to the data for 8 credits. 

8 credits is equivalent to just a few dollars, making it essentially free data for many.

Read: Employee Data Exposed Following Dell Cyber Attack

‘Data is the New Oil’

In a blog post published yesterday [November 14, 2024], Troy Hunt, a Microsoft regional director and MVP explained that this likely happened because “data is the new oil.” This saying recognises how valuable our info is, and as such, there's a market for it.

Simply put, he says DemandScience sell data on people. The collected is at a massive scale. When the data was breached the company was allegedly running the data on old systems. 

Hunt refers to someone whose data was exposed and contacted DemandScience about spotting their data on unauthorised platforms. 

DemandScience told the victim of the breach that the leaked data originated from a system that had been decommissioned two years ago.

"Regarding the matter referenced in your email, we have conducted a thorough internal investigation and conclude that none of our current operational systems were exploited," DemandScience stated in an email.

"We also conclude that the leaked data originated from a system that has been decommissioned for approximately two years," the company added.

Many others were affected by the breach including Hunt whose business information was leaked from when he worked at Pfizer. 

The 122 million unique email addresses from the stolen dataset have been added to Have I Been Pwned. Individuals affected by the breach will receive notifications.