ExactisLast week was a critical one with respect to data breaches. We learned about two extensive leaks involving data from Facebook and Exactis, two companies that not only maintain records of our personal information, but also manage data containing various private details about our lives. Keep reading to learn more about these leaks, see why they matter and discover what you can do to protect yourself.

What you need to know about the Facebook leak

What happened?

On June 27, it was revealed that about 120 million Facebook users potentially had their data leaked via third-party quizzes developed by the brand NameTests, which has made dozens of popular Facebook quizzes throughout the years. If this feels like déjà vu, it should, as this news is barely three months removed from the Cambridge Analytical scandal involving another quiz developer on Facebook’s platform. In the case of NameTests, the leaked data appears to be the result of a flaw, as opposed to intentional or malicious design, but that’s of little consequence any victims of the leak.

From what we know, exposed data – including basic profile information like photos, names, gender, age and birthdays – was stored in a way that could technically and very easily be seen or used by third-parties. German app developer Social Sweethearts, the group that runs NameTests told various outlets that there’s no evidence of abuse or access by unauthorized third-parties. Statements like this are fairly common in instances of unintentional leaks like this one, but such statements are, at best, comparable to empty platitudes. In an age where hackers know how to cover their tracks, one should assume that if data has been left exposed for some time, it’s likely been stolen or abused. In the case of the earliest Facebook users to take NameTest quizzes, which bear titles like “Which Disney Princess Are You?,” this could have been years – more than enough time for the information to be discovered and extracted.

What should victims do?

According to security enthusiast and self-described hacker Inti De Ceukelaire, the individual who disclosed the issue to Facebook as part of its data abuse bounty program, simply removing any of NameTest’s quizzes from your authorized applications wouldn’t restrict their access to your information. He discovered that users would also have to manually delete all of their cookies as well. As of now, the best way to protect yourself from applications like this is to view your privacy settings and carefully vet the apps you connect to your Facebook account.

While news of this breach broke unexpectedly, the development is not a surprise given that we learned from the Cambridge saga that Facebook was fairly loose with its earlier iterations of the developers’ platform. That’s why, as consumers, we should operate on the assumption that there may be other Facebook leaks or even breaches at least as bad as the ones we’ve heard about so far.

What you need to know about the Exactis leak

Who is Exactis?

News of a second breach, involving a Florida-based data broker named Exactis, also came to light on June 27. If you’ve never heard of Exactis, you can be forgiven, as many consumers are just learning about the company for the first time. As we mentioned in an article last year, the specifics of most data brokers’ and data aggregators’ businesses tend to be hidden and difficult to learn about. Exactis seems to be no exception to this rule and given that its primary customers are businesses who purchase data, consumers are likely going to remain in the dark about Exactis’ business.

What happened?

Earlier in June, security researcher Vinny Troia discovered an exposed database with nearly two terabytes (TB) of data. To put that size in perspective, consider that one terabyte is 1,000 gigabytes (GB), with one gigabyte being the amount of data used to stream one hour of Netflix programming. In other words, the amount of data exposed is nearly the size of 2,000 hours of content from Netflix. In terms of the actual number of records, it’s believed that this massive database contains almost 340 million records on nearly 230 million Americans, or in Toria’s own words, “It seems like this is a database with pretty much every U.S. citizen in it.” If this is true, then this leak is even more severe than the infamous Equifax data breach of last year.

With regards to Exactis’ breach, it doesn’t appear that financial information or social security numbers were part of the database; however, the details that were compromised seem far more intimate. In addition to general public record details – names, phone numbers and addresses – it appears that Exactis, like many other data brokers, aggregated consumer behavioral data. Record entries contained things like religious affiliation, pets and known interests and hobbies. While this information might not lead to financial or credit-related identity theft, the data might allow malicious individuals to personally identify, impersonate or harass victims of this leak. Additionally, unlike social security numbers and financial account details, this type of information is not replaceable making it harder to mitigate the consequences of this leak. As of this post, Exactis hasn’t explicitly commented on this issue, so it’s not clear what recourse, if any, consumers will receive. There is a nationwide class action lawsuit against the firm in a district court in Jacksonville, Florida, but as with actions taken against Equifax, it’s likely this won’t lead to any substantive benefits to consumers or changes to the industry.

Since there’s no way of currently knowing whether or not you’re in Exactis’ leaked database, the best advice is to assume you are. While you can’t do anything about the breach, you’ll want to keep an eye out for potential abuse (e.g., monitor your bank accounts and credit card statements and watch out for phone scams). Services like identity theft protection might be useful in at least monitoring the dark web for abuse of your personal information, as you’ll be able to take the steps needed to address potential personal, financial or reputational harm.

If you want to learn how to limit the data companies like Exactis can collect from you, read our online privacy guide. This will teach you how to protect yourself from cookies, browser fingerprinting and all the other techniques companies use to track you online. Also, follow our data breach alerts blog to learn more about these and other breaches that may be revealing your identity.