49 million user records from US data broker LimeLeads put up for sale online

Data from an exposed LimeLeads Elasticsearch server ends up on a hacking forum.
Written by Catalin Cimpanu, Contributor
Image: ZDNet

A hacker is currently selling a huge database of 49 million business contacts on a underground hacking forum, ZDNet has learned.

The hacker claims the data belongs to LimeLeads, a San Francisco-based business-to-business (B2B) leads generator, which +makes its money by renting access to an internal database containing business contacts that can be used for pitches and sales.

Following a tip from our readers, ZDNet was made aware two weeks ago that a threat actor going by the name of Omnichorus was selling LimeLeads' data online.

Sources in the threat intelligence community have told ZDNet that Omnichorus is a well-known individual on underground hacking forums, having built a reputation for sharing and selling hacked or stolen data -- a so-called "data trader."

Unsecured server to blame, not a cyber-attack

While initially after receiving the tip we thought the company had suffered an intrusion into its systems following an intentional cyber-attack, we soon discovered that this was not the case.

LimeLeads turned out to be just the latest in a long line of companies that failed to set up a password for an internal server, which allowed anyone on the internet to access the company's crucial customer data.

Bob Diachenko, a security researcher who searches the internet for exposed databases and then notifies affected companies has confirmed to ZDNet that the company had exposed an internal Elasticsearch server.

He told ZDNet that one of the company's servers had been indexed by search engine Shodan as an open system since at least July 27, 2019.

Diachenko said he notified LimeLeads of the exposed server on September 16, last year, and the company secured the exposed system a day later.

While some companies might get away with exposing an internal server on the internet without any major security leaks, this was not the case for LimeLeads.

Despite the company's prompt response to Diachenko's notification, it appears that Omnichorus also got hold of the company's data, and has been selling it online since October last year.

According to Diachenko, and a sample of the data pubished by Omnichorus in their ad, the LimeLeads data contains user details such as: full name, title, user email, employer/company name, company address, city, state, ZIP, phone number, website URL, company total revenue, and the company's estimated number of employees.


The danger from this data being sold is that it provides hackers and malware operators with an ideal base to launch spear-phishing attacks against verified companies and their appropriate contact.

LimeLeads did not return a request for comment for this article sent by ZDNet last week.

Data leaks: The most common sources

Editorial standards