Exactis 2018 Data Breach
ObscureIQ Breach Intelligence
High SeverityWebsite / service breach
Exactis Marketing Data Broker Breach: 110M Consumer Profiles Including Income, Religion & Ethnicity
Marketing data broker (defunct)
Verified by ObscureIQ Intelligence
60/100Breach Risk Index
25Data Value
25Market Recency
512dSince Breach
Breach Intelligence Summary
Entity: Exactis · Actor: Unknown · Sources: 5 references
Attack: Misconfiguration
Profile: Data Broker · Consumer and business data aggregation, marketing data, and profiling · Marketing data broker and analytics provider · USA
Timeline: Breach (2018-06-01) · Indexed (Dec 01, 2024) · Year (2018)
Exposure: 110.0M records · 19 fields: Credit Status, Date of Birth, Education Information, Email Address, Ethnicity or Race, Family Structure, Financial Profile, Full Name, Gender, Homeownership Status, IP Address, Investment Information, Job Information, Personal Interests, Phone Number, Physical Address, Relationship Status, Religion, Spoken Language
Status: Confirmed
Executive Summary
Exactis, a Florida-based marketing data broker, exposed a database of roughly 340 million consumer and business records in June 2018 after leaving it publicly accessible due to a misconfiguration. Security researcher Vinny Troia of Night Lion Security discovered the leak, which spanned multiple terabytes across hundreds of data fields. No external attacker was required. The data was simply open on the internet. Around 110 million individuals are confirmed affected, with a subset of 132 million unique email addresses later added to the public breach notification service Have I Been Pwned. The exposed records were unusually detailed for a data breach. Beyond names, email addresses, phone numbers, and physical addresses, the dataset included dates of birth, income levels, net worth, financial investments, home ownership status, family structure, marital status, religion, ethnicity, spoken languages, education levels, occupations, and personal interests. Exactis compiled and sold this kind of profiling data to businesses for marketing and targeting purposes. Its exposure creates serious risk for affected individuals, including identity theft, phishing attacks tailored with personal details, and misuse by people-search services or other data aggregators. No major regulatory action or class-action settlement has been publicly confirmed in connection with this breach. Because Exactis collected data on people who never directly interacted with the company, many affected individuals had no way of knowing their information was held there in the first place. Anyone who may be included should be alert to targeted phishing attempts and consider monitoring their credit and identity for signs of misuse.
ObscureIQ assessment: Extremely high risk because the dataset supports profiling at scale. Exposure enables identity theft, phishing, people-search abuse, and granular consumer targeting.
Breach Impact
The Exactis breach was especially serious because it exposed one of the richest broker-style profiling datasets ever left open on the public internet. Public breach tracking says the leak involved 340 million records and a subset containing 131.6 million unique email addresses, with hundreds of fields spanning names, addresses, phone numbers, dates of birth, income levels, family structure, net worth, interests, religion, and other profiling data, making the corpus highly useful for phishing, fraud pretexting, identity linkage, enrichment, and large-scale targeting.
About Exactis
Exactis was a Florida-based marketing data broker and profiling company that described itself as a compiler and aggregator of premium business and consumer data. Its business model centered on collecting, structuring, and licensing large volumes of consumer and business records for profiling, segmentation, marketing, and sales use cases.
Why They Hold Your Data
Marketing data brokers aggregate consumer and business identity, contact, demographic, behavioral, and profiling data across advertising, analytics, and enrichment workflows.
Recent Developments
Exactis’ public corporate profile appears to have largely collapsed after the 2018 exposure. Reporting in 2019 described the company as effectively finished as a business after customers and partners pulled away, and there is little visible evidence today of a meaningful operating presence beyond legacy references and dormant company information.
Data Points Exposed
19 verified field types
Credit Status High
Date of Birth High
Education Information
Email Address
Ethnicity or Race High
Family Structure
Financial Profile High
Full Name High
Gender
Homeownership Status
IP Address
Investment Information High
Job Information
Personal Interests
Phone Number
Physical Address High
Relationship Status
Religion High
Spoken Language
Field names are shown in full for clarity and search visibility. Canonical machine keys are emitted only in this page’s structured data.
Exploitation & Downstream Threats
Threat Activity:Critical
Primary downstream threats:
- Financial fraud using exposed financial profile data
- Identity verification bypass using name + date of birth combination
- SIM swap attacks where phone numbers are present
- Targeted phishing campaigns using exposed email addresses
- Doxxing risk from physical address exposure
- Employment-based social engineering using job and employer data
Threat vectors:
- Fraudulent credit application
- Identity verification bypass
- Credential fraud & spear-phishing
- Phishing, credential stuffing & account takeover
- Discriminatory targeting & hate crime enablement
- Household targeting
- Loan fraud & targeted financial scams
- Name-based social engineering
- Profile enrichment
- Mortgage & deed fraud
- Geolocation & account flagging
- Occupation-specific phishing
- SIM swapping, vishing & SMS phishing
- Physical stalking, mail fraud & identity verification
- Home targeting, stalking & physical threat
- Social engineering context
- Romance & family emergency fraud
- Targeted harassment & discrimination
- Targeted phishing localization
Recommended Actions
If you believe your information may be included:
Enable MFA Everywhere
Turn on multi-factor authentication on email first, then financial accounts.
Report & Recover
If you spot misuse, start an official recovery plan and report fraud.
Frequently Asked Questions
What happened in the Exactis breach?▾
Exactis, a Florida-based marketing data broker, exposed a database of roughly 340 million consumer and business records in June 2018 after leaving it publicly accessible due to a misconfiguration. Security researcher Vinny Troia of Night Lion Security discovered the leak, which spanned multiple…
What data was exposed?▾
Verified fields include Credit Status, Date of Birth, Education Information, Email Address, Ethnicity or Race, Family Structure, Financial Profile, Full Name, Gender, Homeownership Status, IP Address, Investment Information, Job Information, Personal Interests, Phone Number, Physical Address, Relationship Status, Religion, Spoken Language.
What should I do if I was affected?▾
Change reused passwords, enable MFA, and (if identity or financial data is involved) freeze your credit and monitor your accounts.
Sources & References
Every claim on this page is traceable. This breach draws on:
Breach Index
Breach Index
Cross-source
9ghz
Cross-source
DataViper.io
ObscureIQ Intelligence
ObscureIQ proprietary analysis
Protect Yourself
Check If You're Affected
Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.
Get Free Breach Alerts
Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.
High-Risk? Get an Exposure Audit
Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.
Request Consultation