Huge cache of 1.2 billion personal records found online: What to do

Old paper files in manila folders on shelves in archive.
(Image credit: Imagewell/Shutterstock)

UPDATE: These records have been fed into the HaveIBeenPwned database, so you can now search for your email address(es).

A treasure trove of records containing personal details of 1.2 billion people was found unprotected on the open internet last month, security researchers Bob Diachenko and Vinny Troia disclosed today (Nov. 22). But don't panic! 

Most or all of the data is already publicly available, including names, addresses, email addresses, phone numbers and links to social-media profiles. No passwords, Social Security numbers or credit-card numbers were involved, and dates of birth do not seem to have been either. (The database is no longer accessible online.) 

Nonetheless, this kind of public data isn't normally all found in the same place for free. It seems that the data was taken, perhaps legitimately, from People Data Labs and, two different people-search services that (legally) scrape the internet to aggregate details about individuals for marketing purposes, and then charge their customers for access. 

As such, you can think of these services as phone books for everyone who has a presence online, and the open database as a free version of that. The data could arguably all be considered contact information.

What's the danger?

Do you need to worry about this? Perhaps not. All this data stored in one place would make it easier for spammers and scammers to contact you, but they could also just buy (or steal) the same information from either of the two firms from which this data trove was taken. 

Scammers can also use free tools to scrape such data from websites. One such tool is Maltego, freemium software that lets you plug in a name, address or phone number and get a list of all the online data associated with that piece of data. It's possible that the people-search services whose data ended up in the unprotected database used similar tools.

What you can do 

What you CAN do is make sure that your social-media profiles don't contain the truly sensitive data that would let someone steal your identity or hijack your online accounts. 

So make sure your date of birth isn't visible on your Facebook profile. You can live without those canned birthday wishes from people you barely know. Don't even post the day and month, because it's easy enough to figure out your year of birth by looking at your school friends.

Don't put a photo of your credit card on Instagram or Twitter. Don't put your Social Security number anywhere online, unless you're checking your credit reports or doing business with the government. And, for heaven's sake, stop reusing passwords.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.