HQ/EMEAFind out how we can help your business
Pure Incubation, now known as DemandScience, allegedly suffered a data breach earlier this year that resulted in the theft of valuable data, especially contact information.
The affected entity is a B2B demand-generating and data aggregator that collects, collates, and arranges data from public sources to build a complete dataset that digital marketers and advertisers may use to develop rich “profiles” for generating leads or marketing material.
Moreover, this company has gathered company data from public and third-party sources, such as full names, physical addresses, email addresses, phone numbers, job titles and roles, and social media links.
A threat actor started to sell the data in February, allegedly owned by Pure Incubation.
An unprotected system on Pure Incubation is the alleged cause of the data breach, allowing a threat actor named ‘KryptonZambie’ to sell about 132.8 million documents on BreachForums starting last February.
On the other hand, the data aggregator insisted on one of the inquiries, saying there was no indication of a hack. However, a follow-up email inquiring whether the leaked data samples belonged to them remained unanswered.
Furthermore, the senior director of corporate communications explained that the post from a black hat hacker criminal site prompted them to deploy their security and incident response systems.
The firm also insisted that its systems are fully operational and that its initial investigation has yet to find evidence of a hack or breach of its data. Still, it assured every concerned party that it constantly monitored the issue.
On August 15, 2024, KryptonZambie made the dataset public for eight credits, equivalent to a few dollars. This publication forced the company to confirm the data’s legitimacy.
However, the confirmation also included a statement that anyone exposed to the leak involving DemandScience came from a system decommissioned two years ago.
All 122 million unique email addresses from the stolen dataset have been added to Have I Been Pwned, and affected subscribers will be notified about the breach. Therefore, the potentially affected individuals by the data breach should be wary of incoming unsolicited communications as threat actors can already execute targeted phishing campaigns.
