People Data Labs; PeopleDataLabs 2019 Data Breach

People Data Labs Data Broker Exposure (2019): 622 Million Professional Profiles Found in Unprotected Database | ObscureIQ
ObscureIQ Breach Intelligence

Classification Tags

Social EngineeringData BrokerEmail AddressEmployerFull NameGeographic LocationJob InformationPhone NumberSocial Media Profile
Low SeverityWebsite / service breach

People Data Labs Data Broker Exposure (2019): 622 Million Professional Profiles Found in Unprotected Database

Data provider focused on people and workforce intelligence.

Verified by ObscureIQ Intelligence
18/100Breach Risk Index
9Data Value
10Market Recency
2348dSince Breach

Breach Intelligence Summary

Entity: People Data Labs; PeopleDataLabs · Actor: Unknown · Sources: 3 references
Attack: Social Engineering
Profile: Data Broker · Workforce, identity, and company data provision · People and company data API provider · Global
Timeline: Breach (2019-10-01) · Indexed (Nov 22, 2019) · Year (2019)
Exposure: 622.2M records · 7 fields: Email Address, Employer, Full Name, Geographic Location, Job Information, Phone Number, Social Media Profile
Status: Reported

Executive Summary

People Data Labs, a San Francisco-based data broker specializing in professional profile enrichment, was at the center of one of the largest personal data exposures ever recorded. In October 2019, security researchers Vinny Troia and Bob Diachenko discovered an unprotected Elasticsearch server hosted on Google Cloud Services containing roughly 1.2 billion records across 4 terabytes. The exposed data included an index traced to PDL and contained 622 million unique email addresses. PDL denied owning the server, attributing the exposure to a customer who failed to secure their copy of the data. The records exposed included names, email addresses, phone numbers, job titles, employers, geographic locations, and social media profiles from platforms including LinkedIn, Facebook, and GitHub. Because this data had already been normalized and enriched for professional targeting, it was especially ready for misuse. Affected individuals faced elevated risks of spearphishing, identity linkage across datasets, people-search abuse, and highly personalized social engineering attacks. No major regulatory action or class action was publicly reported in connection with this incident. PDL maintained that securing customer-held data falls outside its responsibility once the data is transferred. For affected individuals, the practical risk remains: their professional and personal identity details may have been scraped, aggregated, or further exposed by third parties, with limited ability to know where that information has since traveled.

ObscureIQ assessment: High risk because the data is already normalized for targeting. Exposure can enable large-scale profiling, people-search abuse, spearphishing, executive targeting, and identity linkage across datasets.

Breach Impact

The 2019 incident is best understood as a major downstream exposure tied to People Data Labs-sourced enrichment data, not a straightforward compromise of People Data Labs’ own production systems. Public reporting and breach trackers say the exposed Elasticsearch server was not owned by PDL and was likely operated by a customer, but the incident still put People Data Labs at the center of a very large exposure involving names, emails, phone numbers, job history, geographic data, and social profile information, reinforcing the scale and sensitivity of brokered enrichment data and the risk that customer misuse or weak downstream security can create. �

About People Data Labs; PeopleDataLabs

People Data Labs is a B2B data broker and API provider focused on people, company, and workforce intelligence. Its products are built for enrichment, identity resolution, recruiting, analytics, and modeling use cases, and the company markets large-scale person and company datasets as infrastructure for enterprise technical teams. �

Why They Hold Your Data

People and company data providers aggregate workforce, identity, employment, company, and contact records into structured APIs used for enrichment, sales, recruiting, and analytics.

Recent Developments

People Data Labs appears to still be operating as a growth-stage data infrastructure company. In 2025 it announced a $45 million Series B led by Craft Ventures and Flex Capital, and it continues to market large-scale people and company datasets, API access, compliance controls, and privacy-request tooling as core parts of the business. �

Data Points Exposed

7 verified field types
Email Address
Employer
Full Name High
Geographic Location
Job Information
Phone Number
Social Media Profile

Field names are shown in full for clarity and search visibility. Canonical machine keys are emitted only in this page’s structured data.

Exploitation & Downstream Threats

Threat Activity:High
Primary downstream threats:
  • SIM swap attacks where phone numbers are present
  • Targeted phishing campaigns using exposed email addresses
  • Doxxing risk from physical address exposure
  • Employment-based social engineering using job and employer data
  • Social media account targeting and impersonation
Threat vectors:
  • Phishing, credential stuffing & account takeover
  • Business Email Compromise seeding
  • Name-based social engineering
  • Pattern-of-life analysis & physical surveillance
  • Vishing & authority impersonation
  • SIM swapping, vishing & SMS phishing
  • Account impersonation & social graph harvesting

Recommended Actions

If you believe your information may be included:

Enable MFA Everywhere
Turn on multi-factor authentication on email first, then financial accounts.
Find 2FA settings
Report & Recover
If you spot misuse, start an official recovery plan and report fraud.
IdentityTheft.govReport to FTC

Frequently Asked Questions

What happened in the People Data Labs; PeopleDataLabs breach?

People Data Labs, a San Francisco-based data broker specializing in professional profile enrichment, was at the center of one of the largest personal data exposures ever recorded. In October 2019, security researchers Vinny Troia and Bob Diachenko discovered an unprotected Elasticsearch server…

What data was exposed?

Verified fields include Email Address, Employer, Full Name, Geographic Location, Job Information, Phone Number, Social Media Profile.

What should I do if I was affected?

Change reused passwords, enable MFA, and (if identity or financial data is involved) freeze your credit and monitor your accounts.

Sources & References

Every claim on this page is traceable. This breach draws on:

Breach Index
DataBreach.com
Record & field corroboration
Breach Index
Have I Been Pwned
Record & field corroboration
ObscureIQ Intelligence
ObscureIQ proprietary analysis
Risk Index scoring & downstream-threat assessment

Protect Yourself

Check If You're Affected

Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.

Get Free Breach Alerts

Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.

High-Risk? Get an Exposure Audit

Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.

Request Consultation