Over 100 million leaked records of business contact information listed on the dark web linked to B2B data aggregator DemandScience might have been stolen from a third party, the company has told ITPro.
Formerly known as Pure Incubation, DemandScience is an AI-powered B2B demand generation company that helps organizations find potential customers for upcoming campaigns.
The firm scrapes the public internet, building an expansive database that marketers and advertisers can use to tailor their strategies and lead generation.
On 28 February 2024, a threat actor named ‘KryptonZambie’ listed Pure Incubation on BreachForums, claiming to have a stolen database containing 183 million records for sale.
The listing claimed the stolen information contained individuals’ first and last names, business email address, business address, business phone number, job title, and function, all available for $6,000.
At the time, the firm denied there was any evidence of a breach to media outlets, adding that its systems remained operational and its systems remained secure.
The company refused to confirm or deny if the leaked samples provided by the hacker were legitimate. A few months later in August, KryptonZambie made the stolen data cache available for a few dollars, effectively leaking it for free.
DemandScience maintains none of its systems breached
DemandScience told ITPro it takes data privacy very seriously, emphasizing that it only collects publicly available business contact information (BCI).
“The security of data is of the utmost importance to us, and accordingly we have very strict and robust data privacy, compliance and security systems and protocols and comply with global Data Protection laws," a spokesperson said.
"It is also important to note that we process publicly available Business Contact Information, and do not collect, store, or process consumer data or any type of credential information or sensitive personal information including accounts, passwords, home addresses or other personal, non-business information.”
The firm added that the incident affected a decommissioned legacy system, and it immediately launched an investigation into the incident and with current evidence still indicating none of its systems suffered a breach, or were otherwise affected.
“Earlier this year we became aware that a threat actor, in a post on a black hat hacking crime forum, claimed that he or she had information that was allegedly hacked from Pure Incubation (a related company), and that it involved data legacy systems which have been decommissioned," the spokesperson added.
"We immediately activated our security and incident response protocols. We determined that all our systems are 100% operational, and the investigation, conducted by internal resources and outside counsel, found that no systems had been breached.”
The company stressed that as it found no breaches to its own systems, the unauthorized access must have occurred at a third partner, either a contractor or publisher partner.
“We concluded that some older Pure Incubation data could have been shared by or hacked from a contractor or publisher partner, but do not have proof. We are continuing to monitor the situation, so it would not be appropriate to expand further at this point.”
Compromised legacy system could've been cause of the breach
A recent blog post from security researcher and Have I Been Pwned founder Troy Hunt confirmed the data included in KryptonZambie listing was authentic after an individual, given the name Jason, found his information in the data sample available on BreachForums.
Jason confirmed to Hunt that the details included in the database were accurate, and relayed the response he received after approaching DemandScience to enquire about how his information ended up on the dark web.
The firm also confirmed to Jason that according to its investigation the information leaked on BreachForums was stolen from a legacy system that had been decommissioned two years ago.
Notably, Hunt found his own details were included in the breach, but noted some of them were out of date, using an email address he had not used for almost a decade, and a VP job title that was not accurate.
Overall the breach contained 122 unique million compromised accounts, which have now been added to Have I Been Pwned, and will receive continued updates on the status of the breach.
