Sales intel firm Apollo data breach exposed more than 200 million contact records
7.10.2018 securityaffairs

The sales intelligence firm Apollo is the last victim of a massive data breach that exposed more than 200 million contact records.
Apollo collects a lot of its information from public sources, including names, email addresses, and company contact information, it also gathers data by scraping Twitter and LinkedIn.

The company already notified the security breach to its customers last week, the incident occurred on 23 Jul 2018.

“On discovery, we took immediate steps to remediate our systems and confirmed the issue could not lead to any future unauthorized access,” co-founder and CEO Tim Zheng wrote.

“We can appreciate that this situation may cause you concern and frustration.”

The company, formerly known as ZenProspect, allows salespeople to connect with potential buyers using its database of 200 million contacts at 10 million companies.

Affected customers received a data breach notification email, below a copy obtained by TechCrunch.

The data breach notification said the breach was discovered weeks after system upgrades in July.

“We have confirmed that the majority of exposed information came from our publicly gathered prospect database, which could include name, email address, company names, and other business contact information,” reads the data breach notification email sent to the customers.

“Some client-imported data was also accessed without authorization,”

Exposed data includes email addresses, employers, geographic locations, job titles, names, phone numbers, salutations, social media profiles.

The good news is that exposed data doesn’t include Social Security numbers, financial data or email addresses and passwords.

Apollo data breach

Apollo chief executive Tim Zheng confirmed the investigation is still ongoing, but he did not say if the company has informed state authorities of the security breach.

Apollo co-founder and CTO Ray Li told WIRED that the company is investigating the breach and has reported it to law enforcement.

Experts warn that the company may face sanctions under the European GDPR.

Even if no sensitive data has been exposed, such kind of incident expose users to the risk of fraud, spam, or other even harmful actions.

Troy Hunt has already included the record in its data breach tracking service HaveIBeenPwned.

“It’s just a staggering amount of data. There were 125,929,660 unique email addresses in total. This will probably be the most email notifications HaveIBeenPwned has ever sent for one breach,” Hunt explained. “Clearly this is all about ‘data enrichment,’ creating comprehensive profiles of individuals that can then be used for commercial purposes. As such, the more data an organization like Apollo can collect, the more valuable their service becomes.”