Dun & Bradstreet database of 33.7 million people leaked online - employees at Department of Defense, IBM and AT&T exposed

Names, addresses, job titles, the lot all leaked from Dun & Bradstreet

A corporate database belonging to business services company Dun & Bradstreet has been leaked online, exposing sensitive details of more than 33.7 million people employed in the Department of Defense, IBM and AT&T in the US.

The leaked database weighs in at 52.2GB, and according to ZDNet comes via business services firm Dun & Bradstreet, which sells it to marketers that send targeted email campaigns.

Troy Hunt, who runs the website Have I Been Pwned, got his mitts on the database, which he liked breach on dodgy toy maker CloudPets.

After examining the data, Hunt has revealed that the data dump contains details belonging exclusively to US-based companies and government agencies. California is the most represented demographic with over four million records, followed by New York with 2.7 million records and Texas with 2.6 million records.

The leading organisation by records is the Department of Defense, with 101,013 personnel records exposed in the dump. It is followed by the United States Postal Service (USPS) with 88,153 leaked employee records and AT&T with 67,382.

Other firms affected by the leak includes CVS with 40,739 records, Citigroup with 35,292 and IBM with 33,412.

The database contains dozens of fields, some including personal information such as names, job titles and functions, work email addresses, and phone numbers.

While the database doesn't contain more sensitive information, such as credit card numbers or SSNs, Hunt says it's an "absolute goldmine for targeted spear phishing".

"From this data, you can piece together organisational structures and tailor messaging to create an air of authenticity and that's something that's attractive to crooks and nation-state actors alike," he said.

"I often work with companies attempting to mitigate the damage of their organisational data being publicly exposed (frequently due to data breaches), and I can confidently say that knowing this information is out there circulating would concern many of them."

Dun & Bradstreet has washed its hands of responsibility for the leak and said it could have come from come from any one of its thousands of clients.

"Based on our analysis, it is our determination that there has been no exposure of sensitive personal information from, and no infiltration of our system. The information in question is data typically found on a business card.

"As general practice, Dun & Bradstreet uses an agile security process and evaluates and evolves security controls to protect the integrity of our data," a spokesperson told Computing.