On May 15, I was alerted by security researcher Troy Hunt’s Have I Been Pwned service that one of my email addresses was contained in a data breach – “You’re one of 22,802,117 people pwned in the db8151dd data breach”.
The notification contained the following description:
“In February 2020, a massive trove of personal information referred to as “db8151dd” was provided to HIBP after being found left exposed on a publicly facing Elasticsearch server. The exposed data could not be attributed to an owner and appears to be related to a CRM which aggregated personal information and customer interactions. The data was provided to HIBP by dehashed.com.”
Shortly afterwards, contact management company Covve had acknowledged that the data was theirs.
The amount of data exposed was staggering – almost 90 gigabytes worth including email addresses, job titles, names, phone numbers, physical addresses, and social media profiles, along with interactions between Covve users and their contacts.
While I have personally never heard of Covve prior to the breach notification, it meant that someone within my circle was using their app at some point and had added/imported my personal information.
To date, none of those I reached out to with knowledge of this particular address of mine could acknowledge or recall using this app.
This is a unique privacy breach in that it affected millions of people who had nothing to do with Covve – but whose personal information was added to it by someone they know.
Read more about the “db8151dd” breach at troyhunt.com.
Just blogged: The Unattributable "db8151dd" Data Breach https://t.co/NK0b54zbX6
— Troy Hunt (@troyhunt) May 15, 2020