48 Million User Profiles Potentially Leaked by Washington-Based Data Firm LocalBox

Everyone is a little more sensitive to data breaches nowadays and rightfully so. Just recently, the Cambridge Analytica scandal came into the spotlight, when data from 50 million Facebook accounts were leaked. Customers of Orbitzs, Sears, Equifax, and many other well-known companies have become victims of data breaches within just the last year. The newest data breach is linked to a Washington-based data firm company, LocalBox. It was recently reported by UpGuard that the data of 48 million user profiles from different platforms were potentially leaked, which puts this in the same weight category as the data leak linked to Cambridge Analytica.

According to Zack Whitaker, a researcher at ZDNet, LocalBox “left a massive store of profile data on a public but unlisted Amazon S3 storage bucket without a password, allowing anyone to download its contents.” The company managed to record information that belongs to 48 million unique virtual profiles. To accumulate the data, the company would crawl the web, and record all information that came from social networking platforms, which included Facebook, LinkedIn, Twitter, and Zillow. All information was stored in one 1.2 terabyte file that was placed in a unique bucket called “lbdumps.” This data was found by the UpGuard Cyber Risk Team, and it was reported that it included full names, dates of birth, and even physical addresses, among other kinds of highly sensitive personal information. The bucket was discovered in February, and ten days later, LocalBox was informed about the situation, which, subsequently, was contained the same day as the bucket was secured.


Researchers who analyzed the exposed bucket discovered how some of the information was recorded. It was found that parts of the data were accumulated by purchasing marketing databases and the caches that belonged to payday loan operators. Clearly, the information was recorded purposefully, and it is still questionable what the exact reasons behind that are. According to the information on localbox.com, the company is meant to offer the “World's Most Comprehensive Cross Device Identity Graph on Businesses, Consumers and Geo Audiences.” The data available on the company’s “consumer website,” consumer.localblox.com, indicates that 220 million profiles are in its knowledge. So, why part of it was placed in an exposed bucket for anyone to see? LocalBox is not shy to admit that it uses personal information to compete in the marketing industry, and while it may use legitimate ways to obtain such information, it has the responsibility of keeping it safe, and, clearly, it has failed to do that.

LocalBox’s chief technology officer, Ashfaq Rahman, has recently spoken to GeekWire about the incident, and he stated that the data was not as exposed as claimed by UpGuard, and that, in fact, the company’s security team could not access the Amazon bucket containing the data. Mr. Rahman has also told ZDNet that the 48 million figure is not accurate because portion of the profiles were said to be fake and used for testing purposes. Unfortunately, the number of the said fictitious profiles had not been disclosed at this point. It is also unknown if anyone had managed to access the bucket and steal the information before it was secured after UpGuard’s report. If it was stolen, schemers could easily use this information to create fake profiles, terrorize people using their personal information, as well as steal virtual identities. As proven by the Cambridge Analytica scandal, personal information can also be used in election campaigning, as well as creating political propaganda.

Although it might appear that keeping personal data is becoming more and more difficult, the harsh reality is that, most likely, we are simply becoming more aware of the data leaks and breaches that occur. Also, with more and more people relying on social networking platforms to communicate with others, find jobs, manage financial accounts, and do other things, there is more room for error. Since more and more companies like LocalBox are relying on personal user data to grow and compete in the market, it is also likely that more effort will be made to extract such data in the future. It is no longer safe to rely on the platforms and companies we seem to trust to keep our data safe, and we need to take matters into our own hands. Right now, being selective about the content we share and the platforms we share it via is of the most importance.


Nickelsburg, M. April 23, 2018. Data leak exposes 48M user profiles, scraped by startup from Facebook, Zillow and others, researcher says. GeekWire.
UpGuard Cyber Risk Team. April 18, 2018. Block Buster: How A Private Platform Leaked 48 Million Personal Data Records. UpGuard.
Whittaker, Z. April 18, 2018. Data firm leaks 48 million user profiles it scraped from Facebook, LinkedIn, others. ZDNet.