Recently, security researcher Troy Hunt updated his security breach notification website, Have I Been Pwned (HIBP) with a notice that a publicly accessible server operated by Florida-based marketing and data aggregation firm Exactis was publicly exposing private information.
The notice was posted as follows:
In June 2018, the marketing firm Exactis inadvertently publicly leaked 340 million records of personal data. Security researcher Vinny Troia of Night Lion Security discovered the leak contained multiple terabytes of personal information spread across hundreds of separate fields including addresses, phone numbers, family structures and extensive profiling data. The data was collected as part of Exactis’ service as a “compiler and aggregator of premium business & consumer data” which they then sell for profiling and marketing purposes. A small subset of the exposed fields were provided to Have I Been Pwned and contained 132 million unique email addresses.
Breach date: 1 June 2018
Date added to HIBP: 25 July 2018
Compromised accounts: 131,577,763
Compromised data: Credit status information, Dates of birth, Education levels, Email addresses, Ethnicities, Family structure, Financial investments, Genders, Home ownership statuses, Income levels, IP addresses, Marital statuses, Names, Net worths, Occupations, Personal interests, Phone numbers, Physical addresses, Religions, Spoken languages
The UISO is sending this email to all @fordham.edu email addresses that were part of the breach. As we maintain the security and integrity of the University’s systems, it is our duty to inform you when we receive alerts from information security resources, both inside and outside the academic community, of any instance in which their @fordham.edu email address appears to have been part of a compromised data set.
We would like to stress that this is not an announcement that Fordham was compromised, nor was Fordham, to our knowledge, affiliated with Exactis in any way.
You can read more at the following links:
- Exactis said to have exposed 340 million records, more than Equifax breach
- Have I Been Pwned: Exactis
- Marketing Firm Exactis Leaked A Personal Info Database With 340 Million Records
- Florida Class Action Claims Exactis Breach Affects 230 Million Americans
Although passwords were not part of the breached data set, we find it prudent to advise that you do not reuse the password for your @fordham.edu account for any other online services. Attackers are aware of the potential for password reuse and will try to leverage these username/password combinations to authenticate to your Fordham University account.
Please note: Fordham IT will NEVER ask for your password or ask you to click links to validate your account or password. If you receive questionable or suspicious emails, contact IT Customer Care and allow the UISO to validate the legitimacy of these messages.
A new security awareness program will be launched by the UISO in September 2018 for Fordham employees. The online course will help employees recognize security risks and cyber threats so they may better protect the University and themselves.
If you have any questions or concerns, please contact IT Customer Care at (718) 817-3999 or HelpIT@fordham.edu.