DemandScience Data Breach 122M Unique Corporate Email Addresses Affected

A B2B demand generation platform owned by Pure Incubation experienced a data breach that exposed sensitive business contact information.

The breach, which affected nearly 122 million unique corporate email addresses, has raised concerns about data privacy and security in the business-to-business (B2B) sector.

The Breach and Its Impact

The breach was first detected on February 28, 2024, when a threat actor named “KryptonZambie” began selling the compromised data on a popular hacking forum.

The dataset included not only email addresses but also physical addresses, phone numbers, employers, job titles, names, and even links to individuals’ LinkedIn profiles. 

The compromised data was largely compiled from public sources and aggregated by DemandScience for marketing purposes.

Although the company initially denied any breach of its systems, further investigation revealed that the data originated from a decommissioned legacy system that had been inactive for approximately two years.

Response from DemandScience

DemandScience responded to the breach by activating its security protocols and conducting an internal investigation.

The company confirmed that none of its current operational systems were compromised and attributed the leak to an old system that had been retired. 

Despite the company’s assurances that no active systems were affected, the exposure of such a vast amount of business contact data has drawn attention to the risks associated with data aggregation practices in the B2B industry.

In November 2024, Troy Hunt, founder of Have I Been Pwned (HIBP), confirmed the authenticity of the leaked data after several individuals reported finding their information in the breach.

Hunt added the 121.8 million compromised accounts to HIBP’s database, allowing affected individuals to check if their information was part of the leak.

Implications for Data Privacy

The DemandScience breach highlights ongoing concerns about data privacy and security in the digital marketing space.

While much of the exposed information was publicly available business contact information (BCI), the sheer volume of data and its aggregation into a single dataset makes it more accessible to malicious actors.

This incident underscores the need for companies to secure legacy systems and ensure that even publicly sourced data is adequately protected from unauthorized access.

As businesses increasingly rely on data aggregation for marketing and lead generation, incidents like this serve as a reminder of the importance of robust cybersecurity measures and transparent data-handling practices.

Also Read:

GTA Source Code leaked, Threat Actors Listed on Hacking Forums

See more