Home Security Massive Dun & Bradstreet database leaked online

Massive Dun & Bradstreet database leaked online

More than 33 million records from a corporate database belonging to business services company and debt collector Dun & Bradstreet have been leaked online.

Troy Hunt, who runs the haveibeenpwned website, said he had been sent a copy of the database as a 52.2GB CSV file, containing 33,698,126 records.

Hunt discovered that one of the records was that of Jake Whittaker, who works for CBS Interactive, and writes a column for the tech website ZDNet.

Whittaker filed a story about the leak, but did not mention that his details were also in the dump or the fact that Hunt was the source for the story.

With Whittaker's permission, Hunt listed his data on his website.

   "netprospex contact id":"177496766",
   "first name":"Zack",
   "last name":"Whittaker",
   "job title":"Writer Editor",
   "contact phone 1":"(415) 344-2000",
   "contact phone 2":"(415) 344-2000",
   "primary job function":"Marketing",
   "all job functions":"Creative",
   "company name":"CBS Interactive Inc.",
   "company phone":"(415) 344-2000",
   "location type":"HQ",
   "street address":"235 2Nd St",
   "city":"San Francisco",
   "postal code":"94105",
   "county":"San Francisco",
   "web address":"http://www.zdnet.com",
   "revenuerange":"$100 mil to less than $250 mil",
   "employee range":"500 to less than 1,000",
   "primary industry":"Advertising & Marketing",
   "all industries":"Advertising &Marketing; Information Collection & Delivery",
   "primary sic code":"7319",
   "primary sic description":"Advertising, nec",
   "company name (us ultimate parent)":"National Amusements, Inc.",
   "d-u-n-s (us ultimate parent)":"49422439",
   "street address (us ultimate parent)":"846 University Ave",
   "city (us ultimate parent)":"Norwood",
   "state (us ultimate parent)":"MA",
   "postalcode (us ultimate parent)":"02062",
   "country (us ultimate parent)":"US",
   "revenue (us ultimate parent)":"27613349110",
   "revenue range (us ultimate parent)":"$1 bil and above",
   "employees (us ultimate parent)":"133269",
   "employee range (us ultimate parent)":"100,000 and above"

Analysing it, he wrote: "...a few things were nagging me about this data. Firstly, it's perfect. Every name is properly cased, every email address is well-formed and there are none of the tell-tale signs of user-entered data. This didn't come from any sort of mass collection exercise such as buying marketing lists River City Media style, it was almost certainly carefully curated at some central point.

"Secondly, the data is 100% US. Every single 'country' value is precisely as you see above for Zack. It's from all over the US as you'd expect with a set of records that large; California is the most represented with over 4 million records, then New York state with 2.7 million, Texas with 2.6 etc.

"Thirdly — and this is really a conclusion from the previous two points — it feels like data that was provided as a commercial feed of US businesses and their employees. This looks precisely like the sort of thing people would pay money for as it's a pretty valuable set of information. Which brings us to NetProspex."

Using this information, Hunt traced the database to Dun & Bradstreet which provided the Net Prospex service.

Hunt said a break-up of the data showed the following 10 companies at the top:

  • DOD Cce : 101,013
  • United States Postal Service : 88,153
  • AT&T Inc. : 67382
  • Wal-Mart Stores, Inc. : 55,421
  • CVS Health Corporation : 40,739
  • The Ohio State University : 38,705
  • Citigroup Inc. : 35,292
  • Wells Fargo Bank, National Association : 34,928
  • Kaiser Foundation Hospitals : 34,805
  • International Business Machines Corporation : 33,412

He said that despite Dun & Bradstreet claiming that the leak included no personally identifiable information (PII), the details he had seen indicated that this was incorrect.

"When you have someone's first and last names, their job title and their email address along with the company they work for, you have PII. And that's really what makes this a highly volatile collection of data; this much personal information on this many people and set in the context of their professional roles poses numerous risks to the organisations involved here," he wrote.

But he could still see some humour in the situation.

"Let me finish on a lighter note: There are three records for individuals with a first name of 'Donald', a last name of 'Trump' and a job title of 'President'," he wrote.

"They occupy genuine roles within legitimate businesses and just happen to share these three data points with the 45th bloke at the top. Their industries are 'Airlines, Airports & Air Services', 'Insurance' and... 'Hair Salons'."


Did you know: 1 in 10 mobile services in Australia use an MVNO, as more consumers are turning away from the big 3 providers?

The Australian mobile landscape is changing, and you can take advantage of it.

Any business can grow its brand (and revenue) by adding mobile services to their product range.

From telcos to supermarkets, see who’s found success and learn how they did it in the free report ‘Rise of the MVNOs’.

This free report shows you how to become a successful MVNO:

· Track recent MVNO market trends
· See who’s found success with mobile
· Find out the secret to how they did it
· Learn how to launch your own MVNO service


Sam Varghese

website statistics

A professional journalist with decades of experience, Sam for nine years used DOS and then Windows, which led him to start experimenting with GNU/Linux in 1998. Since then he has written widely about the use of both free and open source software, and the people behind the code. His personal blog is titled Irregular Expression.