A data breach exposes 122 million DemandScience records after initial denials

A database containing information on 122 million people in circulation as of February 2024 has been confirmed to have been stolen from business-to-business demand generation platform DemandScience US LLC.

The database first appeared for sale on the infamous hacking forum BreachForums from a user named “KryptonZambie,” who claimed the data was stolen from Pure Incubation, the name DemandScience previously knew. However, DemandScience denied at the time that the data belonged to it.

“All our systems are 100% operational and we have found no indication that there has been a hack or breach of any of our systems or data (they are all secured behind a firewall/VPN access/access control/intrusion detection systems),” one A company spokesperson said this at the time. “We continue to monitor the situation so it would not be appropriate to expand further at this time.”

Beeping computerthat received the response from DemandScience followed up again, but received no response from the company.

Forward to August and the same dataset was then offered by KryptonZambie on BrechForums for eight credits – the equivalent of a few dollars, making the data virtually free.

Now, security researcher Troy Hunt of Have I Been Pwned wrote Wednesday that the data is authentic and that its origin is DemandScience. The confirmation came from someone involved in the breach who contacted DemandScience and was told that the leaked data “came from a system that was decommissioned two years ago,” despite DemandScience previously having no connection with the data denied.

Aaron Walton, threat intelligence analyst at managed detection and response company Drive Out Inc.told SiliconANGLE via email that “all companies need to think about their data exposure in terms of risk” and that “in the case of data aggregation platforms, the theft of their data is equivalent to the theft of their most valuable asset.”

“With this data being stolen and made public, it will have a significant impact on their business,” Walton said. “That is, why would a company pay DemandScience if it can find the information it wants cheaply?”

A breach like this can go unnoticed if organizations don’t monitor their security across the board, he added.

“In this case, it sounds like some technology has been retired, but not completely gone,” he said. “Where possible, it is best to have a strong process in place to confirm that assets have been completely decommissioned.”

Image: SiliconANGLE/Ideogram