Massive data leak at IMDataCenter exposes personal information of millions

A major data leak at IMDataCenter, a Florida-based data solutions provider, has exposed a trove of sensitive personal information, placing millions of individuals and several corporate clients at risk of fraud, phishing attacks, and identity theft.

Cybersecurity researcher Jeremiah Fowler uncovered the breach after discovering an unprotected 38GB database containing over 10,800 records, including CSV and PDF files, left openly accessible online without password protection or encryption. The exposed data included names, physical addresses, phone numbers, email addresses, and other sensitive lifestyle information such as home and vehicle ownership status.

The data, typically used by IMDataCenter to support clients across industries such as healthcare, insurance, and political marketing, is part of a much larger library containing over 260 million individual profiles and 600 million email addresses. While the exact number of people affected remains unclear, Fowler noted that each file contained thousands of entries, underscoring the widespread impact.

“This kind of verified, detailed information can be a goldmine for cybercriminals,” Fowler stated in his report, warning that such data could be used to craft highly personalized scams or build detailed profiles for illicit purposes.

The breach also raises concerns about broader systemic risks. Among the leaked files were references to client organizations, including folders and filenames suggesting associations with airlines, hospitals, universities, and auto dealerships. While the clients were not explicitly named in the documents, the nature of the files implied access to sensitive data from a wide range of sectors.

Hackread.com later reported that a user known as ThinkingOne on the dark web forum BreachForums claimed responsibility for accessing IMDataCenter’s exposed AWS storage. According to the user, the full data cache expanded to roughly 75GB when uncompressed and included more than 20 million unique email addresses, 37 million phone numbers, and over 50,000 Social Security numbers.

ThinkingOne alleged that they attempted to warn IMDataCenter after discovering the vulnerability but received no response. Eventually, they downloaded the data, which appeared to be updated regularly. While they did not publicly name IMDataCenter’s clients, they confirmed extracting files containing personally identifiable information and details about end users.

Upon receiving Fowler’s responsible disclosure, IMDataCenter promptly restricted public access to the database. In response to the notification, a company representative acknowledged the issue, stating, “Data security is really important to us too and really appreciate you sharing this information with us. We are working to secure the information ASAP.”

It remains unclear whether IMDataCenter managed the exposed data directly or whether a third-party contractor was responsible for its storage and security. The company has not publicly commented on the extent of the breach or confirmed whether law enforcement or regulatory authorities have been notified.