Allstate Identity Protection is proudly compliant with the new California Consumer Privacy Act. View our privacy policy here.
Exciting news! InfoArmor is now Allstate Identity Protection. Same great company. Same powerful protection. Learn more.

Want to get updates on InfoArmor News?

A major data breach is unfolding before our very eyes, and it wasn’t caused by an elite team of hackers, a band of high-tech identity thieves, or any other concoction of criminality. The real culprit? A marketing company in Florida named Exactis — which is Latin for “finished.”


According to Wired, Exactis exposed the personal data of 230 million Americans. If accurate, this new breach would have directly impacted 45 percent more Americans than the 2017 Equifax breach that shook the world. 

We expect to learn more about this developing story in the coming days and weeks, and we’ll keep you updated. In the meantime, here are five things you need to know now.

#1  What is Exactis?

Exactis is a data aggregation and marketing firm based in Palm Coast, Florida. While its website doesn’t provide much information, it appears the firm sells premium business and consumer data.

The company claims to have more than 3.5 billion records that are updated on a monthly basis. Of course, it also reports that its data warehouse is “the largest and most respected in the digital and direct marketing industry.” 

#2  How was the breach discovered?

The breach was discovered in June 2018, when security researcher Vinny Troia sought to test the security of ElasticSearch — a widely-used database type. By leveraging a search tool called Shodan, Troia uncovered around 7,000 databases on publicly accessible servers. One of those databases, which happened to belong to Exactis, was completely unprotected. Troia accessed the data, confirmed it’s accuracy, and alerted both Exactis and the FBI. 

#3  What information was compromised?

Exactis exposed nearly 340 million records. Around two-thirds of those belonged to individuals and the remaining third to companies across the nation. Although it doesn’t appear Social Security numbers and credit card data were revealed, a wide-range of personally identifying information was.

In total, the company recorded more than 400 characteristics about individuals. This data includes everything from personally identifiable information to a person’s hobbies and interests, as well as all known data about their families.

Here are just a few examples of the information stored on individuals:

  • Important physical addresses
  • Email addresses
  • Phone numbers
  • Number, age, and gender of their children
  • Smoking habits
  • Religious affiliation

Cybercriminals can use this information to impersonate a victim, conduct social engineering, and commit a wide array of fraud.

#4  How can you tell if your information was included?

Currently, Exactis isn’t offering a way to see if you were part of the breach. If this changes, we’ll alert followers via our social media accounts and update this article. In the meantime, you should presume you are among the 230 million American victims.

#5  What can you do about it?

The most important step you can take is to stay vigilant! This can be daunting in today’s reality, where data breaches occur on a near-daily basis. The type of data involved in the Exactis incident further complicates matters for victims.

Traditional credit monitoring services only monitor credit-based accounts. While it’s important to monitor your credit score and report frequently, this isn’t enough to protect you. You need a quality identity protection service that sends alerts regarding address changes, password updates, and even questionable social media posts.

Before you purchase a plan on your own, it’s a good idea to speak with your company’s HR director. Many businesses are now providing their employees with identity protection insurance as part of their benefits program.

If your company does provide this option, sign up the whole family ASAP. If your company doesn’t provide the option, you may want to forward along our complimentary ebook, Why Companies Should Care When Employees Have Their Identities Stolen.

New Call-to-action