20

I searched my email addresses in https://haveibeenpwned.com/.

One of my e-mail addresses results as having been pwned, and is present in a data breach, in particular the Apollo data breach:

Apollo: In July 2018, the sales engagement startup Apollo left a database containing billions of data points publicly exposed without a password. The data was discovered by security researcher Vinny Troia who subsequently sent a subset of the data containing 126 million unique email addresses to Have I Been Pwned. The data left exposed by Apollo was used in their "revenue acceleration platform" and included personal information such as names and email addresses as well as professional information including places of employment, the roles people hold and where they're located. Apollo stressed that the exposed data did not include sensitive information such as passwords, social security numbers or financial data. The Apollo website has a contact form for those looking to get in touch with the organisation.

I have never subscribed to Apollo or given my address to Apollo.

How do they have my e-mail address in the first place?

Web scraping?

robertspierre
  • 495
  • 2
  • 11
  • 40
    They could simply have bought your data. – Polygnome Mar 10 '21 at 21:18
  • 4
    I don't know anything about Apollo, but they also could have acquired a company that had your data – Ryan Amos Mar 11 '21 at 01:12
  • 1
    Don't know anything either about Apollo, but a customer of theirs may have shared data with them in the course of integrating their services. – jcaron Mar 11 '21 at 12:09
  • #stayHappy: ClearView AI already scraped all our biometrics from around the web, and almost all EU privacy board are upset against them. After verifications.io, I entered the next-level: I am getting called on a mostly daily basis from electricity and gas brokers who know my exact home address where power is supplied. Hooray! – usr-local-ΕΨΗΕΛΩΝ Mar 12 '21 at 11:26

2 Answers2

36

Web scraping is indeed a possibility, as mentioned in this Wired article:

As Apollo noted in its letter to customers, it draws a lot of its information from public sources around the web, including names, email addresses, and company contact information. But it also scrapes Twitter and LinkedIn.

Glorfindel
  • 2,235
  • 6
  • 18
  • 30
  • 6
    Is it really "pwned" then if all the information "leaked" was already in public access? – JonathanReez Mar 11 '21 at 19:58
  • 9
    @JonathanReez I'd argue yes, as the pwn means noone has to work to steal/harvest the data from public sources. It's already compiled which makes it far easier to use and abuse. – David Wheatley Mar 11 '21 at 20:26
0

I suspect that what happened was the database for that site was hacked/leaked, and the site telling you if you were/weren't pwned does not check if you had created an account with the site or if you were only on there by virtue of having an email address, on the internet.

Anyone who created an account and made a password needs to change their password (and their practices re: creating accounts), you are listed as pwned because some people made passwords for that site, and all the site informing people they have/have not been pwned doesn't distinguish between those who have made accounts and those who haven't (proper policy, you're safer because it doesn't).

If this is the only place you're listed as pwned you're doing very well, respect to your password manager.

i met deadaddict once
  • 9
  • 1
  • 3
    Welcome to [security.se]! Note that the author of the question uses the word 'pwned' but nowhere says their password has been compromised, just an email address. – Glorfindel Mar 12 '21 at 06:48
  • 1
    OP is 'pwned' because their email address was included in the dataset leaked by the site. That's all haveibeenpwned.com reports on. The question isn't about whether they have an account there (they know they don't), but why that site had their email address in the first place when OP never gave it to them. – Seth R Mar 12 '21 at 16:53