Evitten Twice Shy
UPDATE 22 November 2019: Thanks once again to Troy Hunt and Have I Been Pwned, today I found out I my email address was among over 622 million unique email addresses exposed in a data breach of an index indicating it was sourced from People Data Labs (PDL). This section really resonates with me:
The recurring theme I'm finding with exposed data of this nature is increasing outrage that the data aggregator obtained and used personal information in a fashion the owner of the data (i.e. me) didn't consent to. It's not about how public the data might be through the channels people choose to publish it, rather it's about the use of the data outside its intended context. […] And this is the real problem: regardless of how well these data enrichment companies secure their own system, once they pass the data downstream to customers it's completely out of their control. My data—almost certainly your data too—is replicated, mishandled and exposed and there's absolutely nothing we can do about it. Well, almost nothing…
After reading Troy’s post, I wrote the following to support@peopledatalabs.com
Your privacy policy states that people may “access any information we have on them” and that you will “reply to a person’s request within five business days” or delete it outright.
Today I found out [my email address] was exposed in a data breach of an index indicating it was sourced from People Data Labs (PDL) along with over 622 million other unique email addresses. https://www.troyhunt.com/data-enrichment-people-data-labs-and-another-622m-email-addresses/
I would like to know exactly what data you have associated with the email address above or [my name]. Secondly I want confirmation that my data—that I never gave you permission to obtain, collect, or pass along downstream to customers—has been deleted from your systems and will not be shared, bundled, packaged, or sold again.
If your data is in the breach, I suggest you do the same. Visit HIBP to check. Here is the breach summary on HIBP:
Breach date: 16 October 2019
Date added to HIBP: 22 November 2019
Compromised accounts: 622,161,052
Compromised data: Email addresses, Employers, Geographic locations, Job titles, Names, Phone numbers, Social media profiles
– Pwned websites - Data Enrichment Exposure From PDL Customer
Along with Evite, PDL joins the ever-growing list of companies who have leaked my data, in my personal HIBP wall of shame: Dropbox, Tumblr, Adobe, 500px, and Verifications.io.
Did you have an Evite account as of August 2013?
‘Why August 2013?…’ you might ask. Well it seems Evite’s systems were breached sometime around February 22, 2019, and that they became aware of this “malicious activity” in April 2019, apparently when ZDNet notified Evite the data was for sale on the dark web.
In this compromise, the attackers made off with a database archive, old data from 2013:
On May 14, 2019, we concluded that an unauthorized party had acquired an inactive data storage file associated with our user accounts.
– FAQ #1 from Evite’s “Data Incident” notice
There is also a notice at Have I Been Pwned (which is how I found out about the breach on July 14) which lists:
Compromised data: Dates of birth, Email addresses, Genders, Names, Passwords, Phone numbers, Physical addresses
HIBP’s summary is:
In April 2019, the social planning website for managing online invitations Evite identified a data breach of their systems. Upon investigation, they found unauthorised access to a database archive dating back to 2013. The exposed data included a total of 101 million unique email addresses, most belonging to recipients of invitations. Members of the service also had names, phone numbers, physical addresses, dates of birth, genders and passwords stored in plain text exposed.
– Have I Been Pwned: Pwned websites - Evite
If you are asking yourself, ‘OK but what am I supposed to do?…’ your best bet is to check your Evite password. If you know that you have reused that password elsewhere, particularly on financial or email accounts, change those passwords now. Likely damage would have already been done, since apparently the stolen data has been for sale since April, but better late than never when it comes to protecting yourself. If you are unsure whether you still have an account, go to evite.com/login and, if needed, request a password reset email with the “Forgot Your Password?” link at the bottom of the form to determine if your email address has an associated account.
If you have any further questions or want help, feel free to get in touch using one of the links below.