The information belonged to consumers in Canada, the U.K., and the U.S. and included phone numbers and social media profiles. Social Security numbers, passwords, and credit card numbers were not found.
The researchers said the leak is unique because of the fact that the data sets appear to have come from two different data enrichment companies: People Data Labs (PDL) and OxyData.io. The OxyData.io data “revealed an almost complete scrape of LinkedIN data, including recruiter information” while the PDL data accounted for a majority of the exposed data.
“This is an incredibly tricky and unusual situation,” Troia wrote. “The lion’s share of the data is marked as ‘PDL’, indicating that it originated from People Data Labs. However, as far as we can tell, the server that leaked the data is not associated with PDL.”
Difficulty attributing ownership
PDL cofounder Sean Thorne told WIRED that his company doesn't own the server that hosted the exposed data. He said the owner of the server “likely used one of our enrichment products, along with a number of other data enrichment or licensing services.”
OxyData also denied ownership of the data. Troia said he believes both claims. Neither firm dismissed the possibility that one of its customers mishandled their data. Troia concluded that the quantity of exposed information, paired with the difficulty in determining who is accountable for the exposure, raises several questions.
“Due to the sheer amount of personal information included, combined with the complexities identifying the data owner, this has the potential to raise questions on the effectiveness of our current privacy and breach notification laws,” he said.