CRITICAL SEVERITY
Data Broker
Marketing Profiles
Consumer Data
Mass Exposure

Exactis Data Breach

Name: Exactis Data Breach
Creator: ObscureIQ
Published: 2018-06-26
License: https://obscureiq.com/licensing/data-breach-dataset

Verified by ObscureIQ Intelligence

X in f @

9.2Severity

110MRecords

20+Data Fields

2018Year

Impact & Downstream Threats

This breach carries critical risk due to the extraordinary depth of profiling data — combining financial, demographic, behavioral, and contact information across 110 million individuals.

Primary downstream threats:

Synthetic identity construction using full demographic + financial profile data
Targeted phishing leveraging personal interests, religion, ethnicity, and family structure
Financial fraud using income, net worth, credit status, and investment data
Real estate and title fraud using homeownership + address data
Doxxing risk due to physical address, phone, email, and family linkage
Employment-based social engineering using occupation and employer data

Data brokers collect and cross-reference hundreds of attributes per individual. When exposed, it enables highly personalized attacks.

Breach Intelligence

EntityExactis (data broker / aggregator)

HeadquartersPalm Coast, Florida, USA

Breach DateJune 2018

DisclosureJune 26, 2018

Records Exposed~110 million

Attack VectorPublicly accessible database (misconfiguration)

Discovered ByVinny Troia, Night Lion Security

SourceDataBreach.com / HIBP / ObscureIQ

StatusConfirmed

Executive Summary

In June 2018, security researcher Vinny Troia of Night Lion Security discovered that Exactis had accidentally exposed a massive database containing approximately 340 million records on a publicly accessible server.

The dataset spanned multiple terabytes with hundreds of data fields per individual — one of the most granular consumer profiling datasets ever publicly exposed.

A subset of 132 million unique email addresses was later indexed by Have I Been Pwned.

The breach underscored the systemic risks of data broker operations, where personal information is compiled, enriched, and resold with minimal oversight.

About Exactis

Exactis was a Florida-based data broker that compiled and aggregated premium consumer and business data for marketing and profiling purposes. The company maintained one of the largest known consumer databases in the United States.

Compiled detailed consumer marketing profiles
Aggregated data from public and commercial sources
Sold enriched datasets to advertisers and marketers
Maintained records on over 200 million U.S. adults

If your data was collected by any U.S. data broker prior to 2018, your information may be included.

Data Points Exposed

Verified fields in the released dataset:

Email addresses

Full names

Phone numbers

Physical addresses

Dates of birth

IP addresses

Credit status

Income levels

Net worth estimates

Investment information

Homeownership status

Family structure

Ethnicity / race

Religion

Personal interests & hobbies

Education information

Employment / occupation

Marital status

Gender

Spoken language

Not confirmed in dataset:

Passwords (plaintext)

Social Security Numbers

Dark Web Verification

Status: Confirmed — data circulating across multiple channels

Dataset containing ~110M records identified in breach intelligence sources
Data indexed and searchable across breach notification platforms
Multiple instances observed on dark web forums and data trading channels
Dataset combined with other breaches to create enriched identity packages

Due to profiling depth, this remains one of the most exploitable datasets in circulation.

Recommended Actions

⚠️ Do not assume this is low sensitivity.

Freeze Your Credit

Place a credit freeze with Equifax, Experian, and TransUnion. This breach includes financial profiling data.

Expect Targeted Phishing

Attackers can reference your interests, religion, income level, and family structure.

Secure Email & Enable MFA

Email compromise is often the first pivot point. Enable MFA on all accounts.

Monitor Financial Accounts

Watch for unauthorized credit applications, loan inquiries, and address changes.

Suppress Personal Data

Remove exposed data from broker networks and search engines.

Check Your Exposure

ObscureIQ clients: this breach is indexed in your profile.
Non-clients may request a breach impact review.

Frequently Asked Questions

What happened in the Exactis data breach?▾

In June 2018, security researcher Vinny Troia discovered that Exactis had left a database containing ~340 million records publicly accessible, spanning financial, demographic, and behavioral information.

What data was exposed?▾

Over 20 categories including names, emails, addresses, phone numbers, dates of birth, income levels, credit status, net worth, family structure, ethnicity, religion, and personal interests.

How many records were affected?▾

Approximately 110 million unique records. 132 million unique email addresses were indexed by Have I Been Pwned.

Is this breach confirmed?▾

Yes. Independently verified by Vinny Troia of Night Lion Security and confirmed through HIBP and DataBreach.com.

Is the data being used by criminals?▾

The data has been observed circulating across dark web forums. The depth of profiling data makes it valuable for identity theft, synthetic fraud, and social engineering.