PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing.

PCMag UK

Marketing Firm Accidentally Exposes 340 Million Records Online

The reported data leak at Exactis potentially exposes every adult in the US to the risk of identity theft. The records contain detailed personal information including phone number, address, and date of birth to whether you own a dog or if you read books.

Michael Kan
 & Michael Kan Principal Reporter

Our team tests, rates, and reviews more than 1,500 products each year to help you make better buying decisions and get more from technology.

Our Expert
LOOK INSIDE PC LABS HOW WE TEST
65 EXPERTS
43 YEARS
41,500+ REVIEWS

A little-known marketing firm may have exposed the personal information of every adult in the US.

On Wednesday, a security researcher named Vinny Troia said he stumbled on a massive database containing the detailed records of 340 million people —all of which was mistakenly made available online.

The records were held in a database from Exactis, a firm that specializes in helping companies reach potential customers via email, phone number or postal address. For some reason, Exactis failed to place the database behind a firewall, leaving it open for anyone to access.

How long the database was exposed isn't known, but it contained detailed information on 230 million consumers, and another 110 million business contacts, Troia told PCMag.

Each record can list the subject's phone number, address, date of birth, estimated income, number of children, education level, credit rating and much more. According to Troia, the records are divided into dozens of different fields that can identify whether a person reads books, owns a dog or cat, or invests in real estate.

"I looked up a bunch of my friends and the data was all pretty accurate," Troia said, adding: "This is more information that other people can use to create scams or do fraudulent activities."

News of the leak was first reported Wired. Fortunately, the affected records contain no social security numbers or credit card information. And according to Troia, Exactis pulled the database off the open internet when he contacted the company about the leak.

Still, the incident raises an unsettling question: Did any hackers notice the 340 million records too?

It's certainly possible, given that the Exactis database was indexed online, according to Troia, who leads his own security firm Night Lion Security. A month ago, he discovered the records while investigating the security of databases built with Elasticsearch. Using a search engine called Shodan, he was able to identify about 7,000 publicly accessibly Elasticsearch databases, one of which he later discovered was owned by Exactis.

"The server was kind of wide open," Troia said. "If anybody was looking for it, they could've found it and grabbed the data."

So far, Exactis hasn't publicly commented on the leak. However, the Florida-based company does claim to have records on 218 million individuals, along 52 million records with business phone numbers.

How it obtained so much sensitive information isn't clear. But Exactis is merely one of several data-mining firms that excel at collecting people's personal data for marketing purposes. Other providers such as Acxiom can collect the information by tapping into public records, using consumer surveys or buying it from commercial entities that have managed to gather the data with your own consent.

As creepy as this sounds, the data-mining is usually done legally. But clearly, hoarding all that sensitive data can also pose a massive security risk.

About Our Expert

Michael Kan

Michael Kan

Principal Reporter

My Experience

I've been a journalist for over 15 years. I got my start as a schools and cities reporter in Kansas City and joined PCMag in 2017, where I cover satellite internet services, cybersecurity, PC hardware, and more. I'm currently based in San Francisco, but previously spent over five years in China, covering the country's technology sector.

Since 2020, I've covered the launch and explosive growth of SpaceX's Starlink satellite internet service, writing 600+ stories on availability and feature launches, but also the regulatory battles over the expansion of satellite constellations, fights with rival providers like AST SpaceMobile and Amazon, and the effort to expand into satellite-based mobile service. I've combed through FCC filings for the latest news and driven to remote corners of California to test Starlink's cellular service.

I also cover cyber threats, from ransomware gangs to the emergence of AI-based malware. In 2024 and 2025, the FTC forced Avast to pay consumers $16.5 million for secretly harvesting and selling their personal information to third-party clients, as revealed in my joint investigation with Motherboard.

I also cover the PC graphics card market. Pandemic-era shortages led me to camp out in front of a Best Buy to get an RTX 3000. I'm now following how the AI-driven memory shortage is impacting the entire consumer electronics market. I'm always eager to learn more, so please jump in the comments with feedback and send me tips.

The Best Tech I've Had:

  • My first video game console: a Nintendo Famicom
  • I loved my Sega Saturn despite PlayStation's popularity.
  • The iPod Video I received as a gift in college
  • Xbox 360 FTW
  • The Galaxy Nexus was the first smartphone I was proud to own.
  • The PC desktop I built in 2013, which still works to this day.

Read the latest from Michael Kan

Read full bio