230 Million Records Belonging to US Citizens for Sale on Database Sharing Platform

Published 26 April 2021


  • The poster claims that the 263 GB file contains 59 million unique email addresses
  • Multiple other actors on the forum have claimed this data is part of the SolarWinds attack

Share this Threat Intel:

Category
Adversary Intelligence
Affected Industries
Unknown
Affected Region(s)
US
Data Fields
Email Address, Mobile number, Address, Income

 

Discovery of the Leak

CloudSEK’s flagship digital risk monitoring platform XVigil discovered a post, on a surface web database marketplace, advertising the data of 230 million records belonging to US citizens.

The post was published on 22 April 2021. The poster claims that the 263 GB file contains 59 million unique email addresses and has highlighted that the leak does not contain any passwords. 

Post shared by threat actor
Post shared by threat actor

Contents of the Leak

The leaked database contains the following data fields:

  • HH_ID
  • ID
  • First_Name_01
  • Alphafirstname_sort
  • Phonetic_First_Name
  • Middle_Name_01
  • Last_Name_01
  • Alphalastname_sort
  • Phonetic_Last_Name
  • Address
  • Alphaaddress_sort
  • City
  • CITY_PHRASE
  • Alphacity_sort
  • Cities 

 

There are 59 million unique emails present in the database are distributed across the following domains:

25987376 yahoo.com 813295 netzero.net 255787 prodigy.net
16348340 gmail.com 777126 cox.net 242859 lycos.com
15192759 aol.com 722168 worldnet.att.net 241463 iwon.com
12692882 hotmail.com 665467 excite.com 230769 mail.com
3822315 msn.com 625490 netscape.net 227588 frontiernet.net
3727998 comcast.net 577755 charter.net 216468 alltel.net
2490479 att.net 485109 live.com 209631 centurytel.net
2120678 bellsouth.net 454116 adelphia.net 208704 rocketmail.com
2053038 sbcglobal.net 439034 peoplepc.com 206158 blackplanet.com
1505939 att.com 354191 webtv.net 204464 pacbell.net
1346057 sbcglobal.com 346773 ymail.com 201895 attbi.com
1133534 earthlink.net 330262 mindspring.com 200970 ameritrade.com
1010741 juno.com 294525 address.com 193412 cfl.rr.com
955291 verizon.net 280489 ameritech.net 193211 netzero.com
837589 cs.com 255813 gte.net 190661 angelfire.com

 

Data Verification and Validation 

The sample data is currently being validated. Multiple other actors on the forum have claimed this data is part of the SolarWinds attack.

Verification and Validation

Another threat actor has posted a thread advertising SolarWinds/ NSA data. The data schema of the second actor’s post matches that of the original poster. However, the original threat actor has denied these claims, referring to them as conspiracies.

SolarWinds Database 

Be informed in your Inbox

Sign up now to our Threat intelligence Newsletter and be the first to know about threats first in your inbox.

Join the Discussions

Discuss your way into our Community about these threats and stay Vigilant and informed.