Mastodon

The Unattributable "Lead Hunter" Data Breach

Pwned again. Damn. That's me who's pwned again because my personal data has just turned up in yet another incident from a source I can't attribute. Less than 3 weeks ago I wrote about The Unattributable "db8151dd" Data Breach which, after posting that blog post and a sample of my own data, the community quickly attributed to Covve. My hope is that this blog post helps myself and the 69 million other people in this one work out who collected and then exposed their personal information.

So, data first, here's what they have on me:

Similar deal to last time in that it was an exposed Elasticsearch instance and it was sent over to me by Dehashed. Turns out it's the same data Bob Diachenko identified earlier in the year, albeit with one twist: the attribution has changed. When Bob originally looked at the data, he would have seen the same thing as I first saw - the same term repeated over and over again:

The term "leadhunter"appears on every single one of the 110M+ rows and, understandably, that originally led Bob to leadhunter.com which is an "advanced B2B telemarketing" company based in Germany and sounds precisely like the sort of org that'd have this data in the first place. However, in subsequent discussions with them, Bob established beyond reasonable doubt that they were not the source of the data. I also reached out prior to this blog post and chatted to a representative of the German firm; the data isn't theirs. Nothing in the sample above lines up with their data and the way they run their business, not the type of data, the volume of data and not the Elasticsearch infrastructure either. As they said, "leadhunter" is a pretty generic term and some quick Googling turns up many different possible sources using the same name. I wanted to make sure I included a reference to the original misattribution here just to ensure they didn't end up getting bombarded by people wanting a copy of their data (and don't bombard me with requests either!)

Getting back to my own personal record, this appears to be scraped from WHOIS as it contains information relating to asafaweb.com, a service I retired 18 months ago. The physical address is one I haven't lived at in almost 5 years and the WHOIS record was kept pretty accurate so I'm assuming this was scraped 4+ years ago. Either that or it was taken from another source put together around the same time frame (or earlier). Many of the other records also contain WHOIS information, but then many others don't. Some records have very generic company data against them (business type, annual revenue, the year it was founded), for example:

There's not even an email address in that one and as best I can tell, it's all publicly available directory information hence my sharing it here. On the other hand, records like this one are very personal:

Nothing to do with domains, but this one has an IP address located in France, albeit with a physical address putting her in Columbia. The record below that one has totally different IP from New York and a physical address putting the person in Washington state. Both records (and many others in the data file) refer to "2018-marketing-year-end-master.txt" which dates it in the same year as my own personal record.

Lastly, every time I publish a blog post like this, I get an influx of emails asking for copies of personal data. I remain one guy running HIBP for the good of the community and I'm simply not a position to manually respond to requests like this. Not only would it be a hugely laborious exercise, there's also the question of whether I'm providing data to the actual owner of it and in an era of an untold number of account compromises every single day, no, just controlling the associated email address isn't proof of ownership. What does help enormously after blog posts like this is people chiming in on the comments below with any indicators of who might have had data associated with that particular email address. For example, domain owners who find aliases clearly pointing to a particular source. Or, in the case of Covve, people who spot a pattern or an attribute or anything else in the provided data samples that points to a particular organisation. Leave those comments below and if a pattern begins to emerge, I'll happily follow the leads and get in touch with the implicated organisation. Then you can ask them for copies of your data!

And that's pretty much all I have, so where's it from?

Have I Been Pwned
Tweet Post Update Email RSS

Hi, I'm Troy Hunt, I write this blog, create courses for Pluralsight and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals