Straffic Breach

While many people who were affected by the Straffic breach received notifications from Credit Karma, the breach had nothing to do with the personal finance company. Credit Karma has a policy of notifying its users when their information is exposed in a breach.
By Kelvin Wamalwa Written by Kelvin Wamalwa
Updated on August 18, 2022

In February 2020, 140 GB of user data from the Straffic database was exposed. This data trove included 49 million unique email addresses and other sensitive personal information including full names, phone numbers, and physical addresses. Straffic hasn’t disclosed how it, an Israeli company that no one had ever heard of before the breach, ended up with the data of so many people in Europe and the US.

While many people who were affected by the Straffic breach received notifications from Credit Karma, the breach had nothing to do with the personal finance company. Credit Karma has a policy of notifying its users when their information is exposed in a breach. 

What is Straffic breach?

The Straffic breach was exposed in February 2020. The company had left the credentials to its Elasticsearch database on an unprotected domain that could be accessed by anybody. A San Diego-based engineer who goes by 0m3n on Twitter found the credentials and exposed the breach. 

The breach had occurred as much as two years earlier. It was only exposed in late February 2020. 0m3n was driven to investigate because he kept receiving spam texts with nonsensical links. It was while tracing one of these links that he discovered the credentials to Straffic’s unprotected database.

What is the company Straffic and why do they have your data?

Straffic bills itself as a “Private Performance Marketing Network,” a vague word salad that means they’re an internet marketing company. 

They have a simple business model. People and organizations with products to sell approach Straffic which in turn places those ads on affiliate sites. Any site can sign up to be a Straffic partner but their focus is on the European and North American markets.

Their business is not much different from Google and Facebook. Google may be a search engine while Facebook is a social media site but their money comes from charging advertisers for access to their audiences. The difference is that Straffic has no audience to charge access to so they’re forced to be the middleman between advertisers and the sites they place ads on.

This begs several unanswerable questions: What is Straffic’s competitive edge? Why won’t their advertisers just go to the bigger companies? Why wouldn’t their web partners just use Google Adsense? Who is advertising with Straffic and why? 

How did Straffic get your data?

It’s incredibly easy for any company to buy mountains of private data. There’s a thriving industry of companies and individuals that collect personal information by taking a datapoint you might willingly provide or data they get their hands on somehow then cross-referencing it with data from publicly available sources like property and court records. This data is then compiled to form an individual profile. 

Take this example. You use your email address to sign up for one silly thing or another. Then someone takes that email address and searches Facebook, LinkedIn, or Twitter, probably all of them. If you signed with your email, the search will bring up your profile. The profile search can also be done with a phone number if you used that in your sign-up.

If your posts are public, which many are, the searcher will have your full name, age, workplace, where you went to school, the city you live in, your spouse, friends, relatives, and the like. 

A courthouse in Pueblo, Colorado

The searcher can then use your real name to search court and property records in your area, which allows them to discover your physical address. Your ZIP code can easily give away things like your income range, information that’s very valuable to advertisers. With knowledge of your physical address, age, education, workplace, marital status, number of kids, and spending habits from overly revealing social media posts, advertisers could make an almost accurate guess of your disposable income. 

This sounds like a laborious process but with data-fetching APIs and a custom program or two, computers can pull and cross-reference most of this information in minutes. These companies then compile this data into huge sets and sell them. All this was somehow legal until recently when laws like the GDPR and CCPA criminalized it. 

Besides the questionably legal means of data collection, there are outright illegal methods. Things like websites and apps selling user data. There are also hackers and disgruntled employees with access to sensitive information hawking their datasets all over the darknet. That’s to say nothing of the mountains of personal data you may have inadvertently forked over by clicking “Agree” without reading the terms and conditions. Straffic could have obtained its mountain of data from any of these sources.

How do you know if you were affected by the Straffic breach?

Credit Karma users got email notifications. Those signed up to Have I Been Pwned and other breach notification services knew as soon as the breach was exposed. Others had to wait until they were swamped with marketing messages, scammy calls, and spam emails to figure out something was wrong.

What were the consequences of the Straffic breach?

Straffic the company seems to have escaped consequences for exposing the private data of so many people. There have been no prosecutions, fines, investigations, or even a measly apology two years down the line. 

In Straffic’s acknowledgment of the breach, the company “regretted” that a vulnerability had been found and promised that it had been “patched up.” Straffic concluded its statement by saying a totally immune system was impossible and “these things happen.”

How to protect yourself from breaches

You can’t really protect yourself from breaches. You don’t have control over all the databases that have your information. 

The best you can do is mitigate the risk. This starts by limiting the amount of data you put out there in the first place. Have two or three email addresses for different functions. Avoid social media and if you must use it, set it to private, visible only to friends and family instead of every bot on the internet. 

You can also go and delete your data from all the companies that have it. This does nothing against those who have bought it without your knowledge like Straffic but it’s a good first step.