A database of information on 122 million people riding since February 2024 has been confirmed stolen from business-to-business demand generation platform DemandScience US LLC.

The database first appeared for sale on the infamous hacking forum BreachForums from a user named “KryptonZambie,” who claimed the data was stolen from Pure Incubation, the name DemandScience was previously known by. However, at the time, DemandScience denied that the data belonged to it.

“All of our systems are 100% operational and we have found no indication of a hack or breach of any of our systems or data (all are secured behind firewalls/VPN access/access control/intrusion detection systems) ” said the company’s spokesperson at the time. “We continue to monitor the situation, so it would not be appropriate to expand further at this time.”

Bleeping Computerwho got the response from DemandScience, followed up again but did not hear back from the company.

Submit by August and the same data set was then offered by KryptonZambie on BrechForums for eight credits – the equivalent of a few dollars, making the data almost free.

Now security researcher Troy Hunt of Have I Been Pwned he wrote Wednesday that the data is authentic and that it originated from DemandScience. The confirmation came from someone exposed to the leak who contacted DemandScience and was told that the leaked data “came from a system that had been decommissioned two years ago,” despite DemandScience previously denying any link to the data.

Aaron Walton, threat intelligence analyst at managed detection and response firm Expel Inc.told SiliconANGLE via email that “all companies should think about their data exposure in terms of risk” and that “with data aggregation platforms, stealing their data is tantamount to stealing their most prized possessions “.

“With this data stolen and made public, it allows for a significant impact on their business,” Walton said. “I mean, why should a company pay DemandScience if they can find the information they want for cheap?”

A breach like this can go undetected if organizations don’t monitor their entire broad security, he added.

“In this case, it looks like some technology has been decommissioned, but it hasn’t completely sunk in,” he said. “When possible, it’s best to have a strong process to confirm that assets are fully decommissioned.”

Image: SiliconANGLE/Ideogram