Massive Data Breach Exposes 122 Million Business Contacts from DemandScience

• Approximately 122 million B2B contact details went on sale on a cybercriminal forum.
• A hacker advertised that the huge database had been acquired via public data aggregation practices.
• A long-decommissioned system belonging to DemandScience is apparently at fault.

Sensitive business contact information for the south of 122 million individuals has been leaked following a breach of the B2B demand generation platform DemandScience (formerly Pure Incubation). Security researchers confirmed the leak, which was attributed to a system decommissioned approximately two years ago.

The 121,796,165 affected email addresses have been integrated into the Have I Been Pwned database. Impacted parties will receive notifications regarding their exposure status. Troy Hunt, a respected figure in the cybersecurity community, validated the authenticity of the breach. Hunt's investigation confirmed that his own data, alongside others, was compromised in the leak.

The breach initially came to light in February 2024 when a threat actor identified as KryptonZambie began selling 132.8 million records on a popular hacker forum. These records included comprehensive datasets containing full names, physical addresses, email addresses, phone numbers, job titles, functions, and social media links, all sourced from public data aggregation practices.

At that time, DemandScience denied any evidence of a breach occurring within their systems.

However, the situation took a definitive turn on August 15, 2024, when KryptonZambie made the dataset available for a nominal fee, effectively leaking this vast trove of data. This leak has significant ramifications for digital marketers and advertisers who rely on such data to create target-rich profiles.

DemandScience has since acknowledged the authenticity of the leaked data, attributing it to a system decommissioned approximately two years ago. Despite their initial assurances about operational security, this acknowledgment underscores the vulnerabilities that can persist even post-system decommissioning.

In August, the data scraping company National Public Data breach was leaked online, allegedly offering sensitive information, such as names, addresses, phone numbers, and Social Security Numbers.