DemandScience (Pure Incubation) data aggregator leaks over data of over 120 million people

A data breach at DemandScience (formerly known as Pure Incubation), a B2B demand generation and data aggregation company, has resulted in the exposure of millions of business professionals' information. The incident has now been confirmed after initial denials from the company.

The incident, initially surfaced in February 2024, when it was announced on the hacker forum BreachForums by 'KryptonZambie. The actor was selling 132.8 million records, containing 122 million unique email addresses.

The situation evolved on August 15, 2024, when KryptonZambie made the entire dataset available for just 8 credits (equivalent to a few dollars) on hacking forums, essentially making the data freely accessible. The breach's authenticity was subsequently confirmed by renowned security researcher Troy Hunt, who verified his own historical data from his time at Pfizer within the leaked dataset. Additional verification came from other affected individuals who contacted DemandScience directly.

Exposed data types include:

• Full names
• Physical addresses
• Email addresses
• Telephone numbers
• Job titles and functions
• Social media links
• Professional history (including historical employment data)

The nature of the attack is not disclosed.

The breach originated from a decommissioned system that had been offline for approximately two years, according to DemandScience's acknowledgment. The specific vulnerability or attack vector has not been disclosed.

Initially, DemandScience denied any evidence of a breach, stating that all systems were operational and no indication of hack or breach was found. In a reversal frDemandScience eventually acknowledged that the leaked data originated from a system that had been decommissioned approximately two years ago. This admission raises serious questions about data retention policies and the security of legacy systems, even after they're taken offline.