Massive Data Breach Exposes 122 Million Business Contacts from DemandScience

Published on November 14, 2024
Written by:
Lore Apostol
Lore Apostol
Cybersecurity & Streaming Writer

Sensitive business contact information for the south of 122 million individuals has been leaked following a breach of the B2B demand generation platform DemandScience (formerly Pure Incubation). Security researchers confirmed the leak, which was attributed to a system decommissioned approximately two years ago.

The 121,796,165 affected email addresses have been integrated into the Have I Been Pwned database. Impacted parties will receive notifications regarding their exposure status. Troy Hunt, a respected figure in the cybersecurity community, validated the authenticity of the breach. Hunt's investigation confirmed that his own data, alongside others, was compromised in the leak.

The breach initially came to light in February 2024 when a threat actor identified as KryptonZambie began selling 132.8 million records on a popular hacker forum. These records included comprehensive datasets containing full names, physical addresses, email addresses, phone numbers, job titles, functions, and social media links, all sourced from public data aggregation practices.

Marketplace Listing of DemandScience(aka Pure Incubation) Source: BleepingComputer

At that time, DemandScience denied any evidence of a breach occurring within their systems.

However, the situation took a definitive turn on August 15, 2024, when KryptonZambie made the dataset available for a nominal fee, effectively leaking this vast trove of data. This leak has significant ramifications for digital marketers and advertisers who rely on such data to create target-rich profiles.

DemandScience has since acknowledged the authenticity of the leaked data, attributing it to a system decommissioned approximately two years ago. Despite their initial assurances about operational security, this acknowledgment underscores the vulnerabilities that can persist even post-system decommissioning.

In August, the data scraping company National Public Data breach was leaked online, allegedly offering sensitive information, such as names, addresses, phone numbers, and Social Security Numbers.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: