The sales intelligence firm Apollo sent a notice to its customers last week disclosing a data breach it suffered over the summer. “On discovery, we took immediate steps to remediate our systems and confirmed the issue could not lead to any future unauthorized access,” cofounder and CEO Tim Zheng wrote. “We can appreciate that this situation may cause you concern and frustration.” In fact, the scale and scope of the breach has a lot of people concerned.
Apollo is a data aggregator and analytics service aimed at helping sales teams know who to contact, when, and with what message to make the most deals. “No one ever drowned in revenue,” the company says on its site. Apollo also claims in its marketing materials to have 200 million contacts and information from over 10 million companies in its vast reservoir of data. That’s apparently not just spin. Security researcher Vinny Troia, who routinely scans the internet for unprotected, freely accessible databases, discovered Apollo’s trove containing 212 million contact listings as well as nine billion data points related to companies and organizations. All of which was readily available online, for anyone to access. Troia disclosed the exposure to the company in mid-August.
As Apollo noted in its letter to customers, it draws a lot of its information from public sources around the web, including names, email addresses, and company contact information. But it also scrapes Twitter and LinkedIn. In fact, the information in the profiles Apollo compiles is so detailed that Troia originally mistook it for a trove from LinkedIn. Some of Troia’s methods of investigating the Apollo breach have been called into question, though, particularly that he posted a listing for the exposed LinkedIn data on a dark web marketplace. Troia claims he never planned to actually sell the data, and that he made the post as a ruse to aid other ongoing research.
For its part, LinkedIn issued a firm rebuke. “Our investigation into this claim found that a third-party sales intelligence company that is not associated with LinkedIn was compromised and exposed a large set of data aggregated from a number of social networks, websites, and the company’s own customers,” the company said in a statement.
Combining all of that public data in one easily accessible location creates inherent risk; if it leaks, as the Apollo data has, it enables scammers, fraudsters, and phishers to craft compelling targeted attacks against a huge number of people. But the Apollo breach has an additionally problematic layer. “Some client-imported data was also accessed without authorization,” Zheng wrote in the disclosure to customers last week.
Customers access Apollo’s data and predictive features through a main dashboard. They also have the option to connect other data tools they might use, for example authorizing their Salesforce accounts to port data into Apollo. Troia found that more than seven million pieces of internal “opportunity” data, information about impending sales commonly associated with Salesforce, were exposed in the breach. One Apollo client alone had almost a million records exposed.
“There is always a high risk for fraud, spam, or other even harmful actions when these types of data sets leak,” Troia says. “People already receive phishing and voice-phishing messages every day. Now you are talking about exposing potentially hundreds of millions of people to more avenues for phishing and fraud. Meanwhile, Apollo seems to have about 530 clients who each had different amounts of valuable opportunity data caught up in this leak.”
Apollo cofounder and CTO Ray Li told WIRED that the company is investigating the breach and has reported it to law enforcement. The data does not include financial data, Social Security numbers, or account credentials. Apollo said in its initial letter to customers that, “an unidentified third party accessed our systems without authorization before our remediation efforts,” which could mean that the data is already in the hands of scammers.
Troia also provided the contact data included in the breach to security researcher Troy Hunt, who runs the data breach tracking service HaveIBeenPwned. Hunt has added the Apollo data to the repository, and plans to notify the HaveIBeenPwned network about the incident.
“It’s just a staggering amount of data. There were 125,929,660 unique email addresses in total. This will probably be the most email notifications HaveIBeenPwned has ever sent for one breach,” Hunt says. “Clearly this is all about ‘data enrichment,’ creating comprehensive profiles of individuals that can then be used for commercial purposes. As such, the more data an organization like Apollo can collect, the more valuable their service becomes.”
Apollo’s core product not only collects publicly available information, but creates a web of business and employee connections out of it. In addition to names, contact information, and job titles for employees, the data also includes things like the dates companies were founded, revenue numbers, keywords associated with the work companies do, number of employees, and website ranking by the Amazon-owned analytics company Alexa. The service then uses all of this information to try to draw connections between companies and identify possible sales opportunities.
The Salesforce data pulled into the Apollo breach raises the stakes, since that information was never meant to be public, and many clients rely on Salesforce as an internal tool for business development. During his research, Troia became even more concerned when he noticed that when a user authorizes Salesforce to connect with Apollo, they apparently can’t authorize Apollo to only pull specific types of data. Choosing to connect the two services seems to initiate total access.
This doesn’t mean Apollo grabbed all of a given company’s Salesforce data, but Troia notes that Apollo may have held more private opportunity data than some clients realized. Salesforce declined to comment for this story about the breach or how third-party authorizations work. Apollo’s Li told WIRED that, “Customers have full and customizable control and management of the data they’ve imported to Apollo.”
Apollo is far from the first data aggregator to have a breach, and as all the incidents compound, the threat of having all of that curated information so easily accessible becomes even more pressing.
“What almost worries me more [than the raw data exposure] is the mapping of social identities to email address and other personal data, because there’s now so much more you can pull on a person,” Hunt says. “We’re continually seeing massive breaches of data aggregators who hold information on people who have no idea their personal information has been used in this fashion. I understand that it’s Apollo’s customers who provided access to their customers, but the fact remains that there are north of 100 million people out there who have no idea who Apollo is nor that their information was exposed.”