Why People Are Freaking Out About the Exactis Breach

Posted in Security

A major hack with over 300 million consumers impacted.

What is the largest hack in history?

What is the most dangerous hack in history?

To the horror of consumers, the Exactis breach is one of the worst.


Over 340 million accounts had their information compromised by the data aggregation and marketing firm Exactis, per the Associated Press. This compromise combined with other major compromises now give hackers significant consumer information, which could possibly lead to costly compromises for consumers. According to the Associated Press, over 340 million accounts were exposed, including detailed aggregate consumer information. Exactis refers to itself as the “LARGEST AND MOST RESPECTED IN THE DIGITAL & DIRECT MARKETING INDUSTRY” as of the time of this article.

Expect consumers to uncover what firms have done business with Exactis. While Exactis faces responsibility for this breach and legal firms may target it, firms that have used Exactis may also become targets from consumers. Businesses should consider the security methods used by technical firms if they want to avoid legal liability, or consumer backlash. This breach shows that consumers may not be safe or secure on some sites depending on the marketing methods. If consumers do not value security or safety, this should not be a problem.

The US population is 326 million. This hack compromises 340 million people, which means this breach compromises more people than Americans. Consumers who do business with American firms that do not prioritize security will continue to face digital compromises related to their information.

Hackers Target Behavior

While other security breaches have involved private data, the target of the Exactis breach appears to be behavioral data. Hackers focus on behavioral data shows a dangerous shift. Focus on private information and breaches involving these data often overlook some of the limitations of these breaches. The compromise of behavioral data carries more danger, especially as technology expands users ability to clone information. We can consider a comparison in the context of the Bangladesh Central Bank hack. Since private information and theft were the target, hackers stole money and compromised private information of the bank. If hackers had targeted behavioral data, they could have compromised the bank in ways that didn’t raise caution until much later. While millions were stolen, a behavioral hack may have resulted in billions.

This hack also proves what we’ve been warning firms: hackers are evolving faster than companies are. This will add major costs for companies worldwide. Even if companies assess security risks accurately, they overlook data points that could be more valuable to hackers than private information. As Charlie Munger says, “Show me the incentives and I’ll show you the outcome.” Hackers have the strongest incentives.

According to the EFF, Facebook even used phone numbers for advertising purposes. Based on that article, did Facebook make this clear? Did Facebook alert consumers? Do Facebook users know how their data are being targeted?

Danger of Breach

What made Meldtown and Spectre dangerous came from the length of exposure. Hackers had years to exploit these two weaknesses. Hardware hacks like Meltdown and Spectre on a scale of one to ten would both be a ten, especially when we factor in the time firms carried risks of exposure. By contrast, most hacks face limits due to their attack – a financial hack being cut off once discovered. In some cases, these may see increased damage. Like a hardware compromise, behavioral hacks carry major damage to consumers. Consumers cannot protect themselves following this compromise, and future information and activity are at risk – not only current information. This differs from a privacy breach as privacy breaches compromise current information, never future (or even if future information is compromised, it can be terminated). Behavioral hacks carry dangers to consumers that are on the scale of hardware compromises due to their future attack capability.

As We Predicted

With the ease of data storage, hackers have a wide field of targets. Hackers have also shown an interest in behavioral data in the past, though breaches have been limited. Five years ago, we predicted that hackers would continue to succeed at compromise their targets and obtain behavioral data. These data align with the intent and needs of hackers for further compromise along with increasing their tools for individual attacks.

Exactis Becomes One of the Largest Breaches

This is considered one of the largest breaches in the United States, as a single event. The Equifax breach, which compromised over 100 million customers private information, pales in comparison to this Exactis breach. In the same manner, hacks against banks often happened over periods of time. Given the amount of consumers, the type of data, and the significance of this breach, costs will be felt for decades. Unfortunately, consumers cannot protect behavioral data that has been compromised. By contrast with identity hacks, identity theft can sometimes prevent further breaches.

Some advertising agencies do not care about consumer information. Consumers must accept responsibility for methods these companies use to track their information. This could mean that consumers who value their data must terminate business with companies that engage in business with advertising agencies that track behavioral information.

In speaking with a few attorneys about this hack, lawsuits may result form this breach. Unfortunately, consumers will not win awards that match the cost of the breach. Depending on how customer information is used, it may take years for consumers to identify an breach as related to this Exactis breach.