Data breach exposes 122M records from DemandScience following initial denials – News

A database with information on 122 million people that has been circulating since February 2024 has been confirmed to have been stolen from the business-to-business demand generation platform DemandScience US LLC.

The database first appeared for sale on the infamous hacking forum BreachForums from a user called “KryptonZambie,” who claimed that the data was stolen from Pure Incubation, the name that DemandScience was previously known. However, at the time, DemandScience denied that the data belonged to them.

“All our systems are 100% operational, and we have not found any indication that a hack or breach to any of our systems or data has occurred (all are secured behind firewall/VPN access/Access control/intrusion detection systems),” a spokesperson for the company said at the time. “We are continuing to monitor the situation, so it would not be appropriate to expand further at this point.”

Bleeping Computer, who obtained the response from DemandScience, followed up again but did not receive a response from the company.

Forward to August and the same data set was then offered by KryptonZambie on BrechForums for eight credits – the equivalent of a few dollars, making the data close to free.

Now, in November, security researcher Troy Hunt from Have I Been Pwned writes that the data is authentic and that its origin is DemandScience. The confirmation came from someone exposed in the leak who contacted DemandSciene and was told that the leaked data “originated from a system that had been decommissioned two years ago,” despite DemandScience previously denying any links to the data.

Discussing the news, Aaron Walton, threat intelligence analyst at managed detection and response firm Expel Inc., told News via email that “all businesses should think about their data exposure in terms of risk” and that “in the case of data aggregation platforms, the theft of their data equates to the theft of their most prized possession.”

“With this data stolen and made public, it allows for a significant impact on their business,” Walton explains. “That is, why should a company pay DemandScience if they can find the information they want for cheap?”

“A breach like this may go undetected if organizations aren’t monitoring the full breadth of their security,” Walton added. “In this case, it sounds like some tech was decommissioned but not fully sunset.. when possible, it is best to have a strong process to confirm that assets are fully decommissioned.”

Image: News/Ideogram