The huge leak of a Dun & Bradstreet database containing the details of almost 33.7 million people includes over 100,000 military personnel, according to the security researcher who reported the leak.
Researcher Troy Hunt published details of the leak Tuesday, explaining that he recently received a large 52.2 GB file from an unnamed source. The file contains the records of 33,698,126 people living in the U.S., he said.
Records include individuals’ names, job titles, corporate emails and phone numbers, as well as employers’ addresses.
The identifier “netprospex contact id” that appears on every record provided a clue to the database’s origin, according to Hunt. Data management specialist NetProspex was acquired by business services giant Dun & Bradstreet in 2015.
Employees from a number of large corporations, including AT&T, IBM, Citigroup and Wal-Mart stores are listed in the database, although the Department of Defense is the most heavily represented organization.
“Obviously seeing over 100k military personnel piqued our attention,” Hunt wrote on his blog. “There are over 10k unique job titles in there too, titles such as ‘Soldier’ (which was the most common with 2.7k entries), but also titles like ‘Ammunition Specialist’ (91 people) and ‘Chemical Engineer’ (32) along with the sorts of roles you'd expect in the army such as "Intelligence Analyst" (715) and ‘Platoon Sargent’ (670).”
The Department of Defense has not yet responded to a request for comment on this story from Fox News.
It is not clear how and when the data came to be exposed, although the leak does not appear to be the result of a hack.
“Based on our analysis, it is our determination that there has been no exposure of sensitive personal information from, and no infiltration of, our system,” explained Dun & Bradstreet, in a statement emailed to Fox News. “The information in question is data typically found on a business card. As general practice, Dun & Bradstreet uses an agile security process and evaluates and evolves security controls to protect the integrity of our data.”
Nonetheless, experts warned that the data could potentially be harnessed for a spear phishing attack that could come, for, example, via a personalized spam email.
“This database will be a rich source of information for the bad guys to create very compelling, targeted spear phishing attacks and increases the likelihood of recipients opening email attachments, which renders them, and their respective organizations, highly exposed to attack,” said Simon Taylor, vice president of products at email security specialist Glasswall, in an email to Fox News.
These sentiments were echoed by Varun Badhwar, CEO of cloud security specialist RedLock. “Even if the data that was leaked is mostly publicly available, having one large data dump makes it easier for attackers to run attack campaigns where they send mass phishing emails to the 33.7 million unique email addresses at the impacted organizations,” he told Fox News, via email. “So while it’s important to quickly investigate this specific breach and find the root cause, it’s even more important for the impacted organizations to ensure that they have tools to be able to monitor their networks for anomalous activity and stay vigilant.”
Follow James Rogers on Twitter @jamesjrogers