Exactis data exposure

In June 2018, security researcher Vinny Troia discovered that Exactis — a little-known data-marketing and aggregation firm based in Palm Coast, Florida — had left a database of nearly 340 million records sitting on a publicly accessible server with no firewall in front of it. There was no hack and no attacker: the data was simply exposed to anyone who knew where to look. By record count it was one of the largest known exposures of U.S. personal data, surpassing even the Equifax breach.

What happened

Troia found the database while scanning the internet for exposed Elasticsearch instances using the Shodan search engine. He came across an Exactis-owned database that was reachable on a public IP address with no access controls. Anyone could query it.

The exposure totaled around 2 terabytes of data and roughly 340 million records — approximately 230 million on individual consumers and 110 million on business contacts. Critically, this was not just names and emails. Each record reportedly contained up to 400 separate fields of granular profiling data.

What was exposed

The records went far beyond basic contact information. Exposed fields reportedly included:

Names, physical and email addresses, and phone numbers.
Highly personal attributes: the number of children in a household and their ages and genders, marital status, religion, ethnicity, and personal interests and habits.
Financial and lifestyle signals: estimated home value, whether the person owns stock, the type of credit cards they hold, their credit standing, and political donation history.

Notably, the data did not appear to include Social Security numbers or credit-card numbers — but the breadth of behavioral and household profiling made it deeply sensitive in aggregate, the kind of dossier used for targeting and potentially for social-engineering or fraud.

Impact

An estimated 340 million records exposed, covering a substantial share of the U.S. adult population and millions of businesses.
After being notified, Exactis secured the database and took it offline; there is no public confirmation that malicious actors copied the data before it was locked down.
Class-action lawsuits were filed against Exactis in the weeks following the disclosure.
The incident intensified scrutiny of the data-broker industry — companies that compile and sell detailed consumer profiles, often without the knowledge or consent of the people described.

Why it matters

Exactis crystallized a uncomfortable truth about the modern data economy: the most damaging leaks need not involve any hacking at all. A single misconfigured, internet-facing database at an obscure broker most consumers had never heard of put intimate details about hundreds of millions of people within reach of anyone scanning the internet. It became a leading example in the debate over data-broker regulation and consent, and a standard cautionary tale about securing cloud and Elasticsearch deployments — locking down public access, requiring authentication, and not exposing bulk personal data to the open internet.

Timeline

June 1, 2018

Security researcher Vinny Troia discovers an Exactis database openly accessible on a public server while scanning Shodan for exposed Elasticsearch instances.

June 1, 2018

Troia confirms the database holds close to 340 million records — roughly 230 million on consumers and 110 million on business contacts — and notifies Exactis and the FBI.

June 27, 2018

Wired publishes the first report on the exposure; Exactis secures the database and pulls it offline.

July 1, 2018

Class-action lawsuits are filed against Exactis over the exposure of sensitive personal data.

Sources

wired.comhttps://www.wired.com/story/exactis-database-leak-340-million-records/

en.wikipedia.orghttps://en.wikipedia.org/wiki/Exactis

haveibeenpwned.comhttps://haveibeenpwned.com/Breach/Exactis

databreachtoday.comhttps://www.databreachtoday.com/marketing-firm-exposes-340-million-records-on-us-consumers-a-11143

Related incidents

Data breachContainedDecember 3, 2018

Quora data breach

The question-and-answer platform Quora disclosed that an unauthorized third party had accessed the data of approximately 100 million users, including names, email addresses, salted-and-hashed passwords, and imported contact and demographic data.

Victim: Quora
Records: 100.0M

Data breachRansom paidMay 1, 2026

Instructure Canvas LMS ShinyHunters breach (2026)

ShinyHunters exploited Canvas's Free-For-Teacher account programme to exfiltrate 3.65 TB of data spanning approximately 275 million users across nearly 9,000 schools — names, email addresses, student IDs, and some private messages between students and teachers. Instructure reportedly paid the ransom and the data was destroyed.

Victim: Instructure (Canvas LMS)
Loss: $10.0M
Records: 275.0M

Data breachResolvedAugust 16, 2024

National Public Data SSN breach

A breach of data broker National Public Data (Jerico Pictures) exposed a database of roughly 2.9 billion records containing names, Social Security numbers, dates of birth, and addresses scraped from public and non-public sources, triggering a wave of lawsuits and the company's bankruptcy.

Victim: National Public Data (Jerico Pictures, Inc.)
Records: 2.90B

Data breachContainedAugust 8, 2022

LastPass two-stage breach and customer vault theft (2022)

An August 2022 source-code theft from one LastPass developer's laptop chained into a November 2022 compromise of a DevOps engineer's personal computer — yielding access to backups of customer password vaults. Federal investigators later linked LastPass-stolen vaults to a $150 million crypto heist.

Victim: LastPass