In February 2024, a significant data breach occurred involving 122 million individuals’ business contact information, which was stolen from DemandScience, a B2B demand generation platform. DemandScience, formerly known as Pure Incubation, collects and aggregates business data from public sources and third-party providers, including email addresses, phone numbers, job titles, and social media profiles. The breach was attributed to a threat actor named ‘KryptonZambie,’ who first advertised the stolen data on BreachForums, but DemandScience initially denied any breach, asserting that their systems were secure behind firewalls and other protections.
Despite the company’s claims, the hacker later made the stolen data freely available for just a few dollars worth of credits in August 2024. This raised concerns about the security of the data aggregation processes, as the stolen information had been circulated widely. Although the breach went unacknowledged at first, an investigation confirmed that the data did indeed come from a decommissioned system that had been inactive for two years. DemandScience reiterated that its current operational systems were not compromised, though it did not deny the authenticity of the leak.
Troy Hunt, a cybersecurity expert, validated the data’s authenticity in his blog post, revealing that several affected individuals, including himself, found their personal information in the breach. The 122 million unique email addresses from the stolen dataset were added to the Have I Been Pwned platform, where affected users were notified about the breach. The data included sensitive contact details of people who had previously worked at various companies, further underscoring the risk posed by inadequate data protection practices in large organizations.
The breach highlights the inherent risks of data aggregation, where vast amounts of personal information are collected from various public and private sources. DemandScience’s failure to detect the breach and its slow response have raised questions about the security measures in place for handling such large datasets. As a result, organizations handling business information are urged to implement robust security measures, regularly audit their systems, and remain vigilant to protect sensitive data from being exposed or misused.