The article talks about notifications and risks to customers of Apollo, but it's not the customers' data that was stolen... It was that of 200 MILLION people who probably never opted into having their contact information packaged and sold to third parties.
If I remember correctly it was mainly scraped LinkedIn data and then they were getting emails either from LinkedIn or some other source and pairing them with the profiles (used their product approx 1yr ago so may have changed). Don't think those random LinkedIn users ever opted into it but maybe there was something in the LinkedIn terms that allowed 3rd parties to do that (or not). But I do remember after I moved to the EU and tried to sign up for Apollo/Zen Prospect for a new venture they said they wouldn't sell me the service because I was in Germany
This smells like someone leaving a DB open to the world (remember the old MongoDB open by default?)
I think stealing a whole database raises very serious questions as to how technically this was done and how would you prevent this at your company.
Unfortunately "transparency first" aside, companies don't usually release this information which leaves us all wondering how we can better protect our users (outside of having sane defaults, closed by default, no ssh, private networks etc...).
You would be surprised to find out how many large companies(i.e top 500) lost theier databases, banks included. Many can be googled but most never made it public or didn't even know what happened to them. Chances are that your contact data has been leaked by several parties already. My conclusion is that you can't secure data unless you make a goal of that and even then it's not a sure thing. All your private networks have multiple public entery points and possibly a coordinator(i.e kubernetes admin). Most ecommerce companies and even payment processing companies think of security as an accessory to their business not a primary concern. If they are too focused on security they loose market share(i.e the vetting takes too much time) The only solution is to consider all unencrypted data public and use encryption at the client level(i.e mobile device).
So is this must be the database that hundreds of relentless SAAS Sales Reps use to send me emails like "Hi there, wanted to bubble this up in your inbox and see if you'd be interested in a convo about your site and how we can increase xxx% revenue with our yyyy solution"
Oh you just wait! If you haven't gotten one of these yet, the latest version of this is that they actually send a calendar invitation (through a 3rd party service) for a meeting out of the blue. Gmail will helpfully pencil that time in on your calendar automatically until you go in and delete the event. This prevents legit meetings from being scheduled since people are afraid you have some important sales call. If you're absent minded and click "No" to your RSVP, they know you saw it! Blech!
These articles are always a little frustrating, especially to those of us who aren't familiar with data management on that scale. For example, how was the breach carried out? How did the company know it occurred? Was there something the company should have done, but didn't?
I understand why those details don't make it into the media, but it's hard not to be curious about it.
It's probably kept secret because if we knew how easy it was to steal their data that would be bad for their image. Most companies have little to no security other than "no one will think to request this url". Could be a past or present employee who knows all the unprotected systems and wanted to make some extra money selling the data.
The details usually are that that someone left ssh wide open, someone else had a look at the logs and though 'Gee I don't think we should have anyone logging in from Belarus', and hiring competent people with enough resources would have prevented this.
> Apollo’s database contains publicly available data, including names, job titles, employers, social media handles, phone numbers and email addresses. It doesn’t include Social Security numbers, financial data or email addresses and passwords, Apollo said.
Eh? So are email addresses included or not? They’re listed in both categories.
Based on the grammatical structure of the second sentence, it sounds like they're [email,password] pairs weren't lost, while emails alone may have been.
Can someone with more experience of these things tell me how these breaches are discovered, and how they know what information was taken? I presume it's not an exact science.
Not overly experienced with this, but years ago we used to add honeypot email addresses to our databases for a super simple & cheap way to at least get an idea of whether data had been exfiltrated. If you add a new email once a month you can get some 'timing' info, and then could start comparing against logs.
"The email said that company said the breach was discovered weeks after system upgrades in July."
Wow. They emailed customers but made no public announcement that people's email addresses and personal info had been stolen and now available on the black market.
This is absolutely atrocious incident management and disclosure. I smell a lawsuit, possibly from the state or federal government.
If you want to do something about this (and other) negligible organizations, head over to https://opt-out.eu, search for Apollo, and the site will generate a GDPR erasure request that you can send. Disclaimer: I'm one of the site's creators.
> Apollo’s database contains publicly available data, including names, job titles, employers, social media handles, phone numbers and email addresses. It doesn’t include Social Security numbers, financial data or email addresses and passwords, Apollo said.
I have just read an article that might be useful for everyone who has received multiple calls from legit businesses at http://www.whycall.me/news/my-4500-payday-from-a-telemarkete.... It's quite difficult, but I think if we could win against those telemarketers, it will feel really good.
Isn't that data freely available already on their website ? It looks like you can get full name, company, position just by creating a free account. Maybe they just scrapped it.
[+] [-] gk1|7 years ago|reply
[+] [-] r00fus|7 years ago|reply
One wonders how much the dataset would go for in the black market.
[+] [-] atlasunshrugged|7 years ago|reply
[+] [-] avitzurel|7 years ago|reply
I think stealing a whole database raises very serious questions as to how technically this was done and how would you prevent this at your company.
Unfortunately "transparency first" aside, companies don't usually release this information which leaves us all wondering how we can better protect our users (outside of having sane defaults, closed by default, no ssh, private networks etc...).
[+] [-] thefounder|7 years ago|reply
[+] [-] blantonl|7 years ago|reply
[+] [-] JunkDNA|7 years ago|reply
[+] [-] i_am_nomad|7 years ago|reply
I understand why those details don't make it into the media, but it's hard not to be curious about it.
[+] [-] user111233|7 years ago|reply
[+] [-] jaxn|7 years ago|reply
[+] [-] kork__|7 years ago|reply
[+] [-] koolba|7 years ago|reply
Eh? So are email addresses included or not? They’re listed in both categories.
[+] [-] wutbrodo|7 years ago|reply
[+] [-] frereubu|7 years ago|reply
[+] [-] adanto6840|7 years ago|reply
[+] [-] maxxxxx|7 years ago|reply
[+] [-] fogetti|7 years ago|reply
[+] [-] ajsharp|7 years ago|reply
Wow. They emailed customers but made no public announcement that people's email addresses and personal info had been stolen and now available on the black market.
This is absolutely atrocious incident management and disclosure. I smell a lawsuit, possibly from the state or federal government.
[+] [-] yoaviram|7 years ago|reply
[+] [-] coaxial|7 years ago|reply
[+] [-] adjkant|7 years ago|reply
So I guess email addresses are a nullable field?
[+] [-] isalmon|7 years ago|reply
Basically it's about the emails that they were scraping / guessing, not their users' emails.
[+] [-] tonyquart|7 years ago|reply
[+] [-] backspace_|7 years ago|reply
[+] [-] munk-a|7 years ago|reply
[+] [-] aphroz|7 years ago|reply
[+] [-] andrewstuart|7 years ago|reply
[+] [-] anigbrowl|7 years ago|reply